Jump to content
KtLN

SystemBC Malware Paves The Way For Other Malware Attacks

Recommended Posts

Researchers have noticed a new malware targeting Windows systems. Termed SystemBC malware, it is becoming increasingly popular among the cybercriminals owing to its astounding maliciousness. What’s alarming for users is that it directly paves the way for more malware attacks. It means a SystemBC malware detection directly indicates the presence of a second infection as well.

SystemBC Malware Attacks On A Rise

According to researchers from Proofpoint, SystemBC malware attacks are seemingly gaining strength. Stating their findings in detail in a blog post, researchers reveal the infectious traits of the malware.

The researchers caught this malware involved in several campaigns delivering other malware. They found the SystemBC served as proxy malware in these campaigns.

In June 2019, the researchers noticed the presence of the malware in Fallout EK campaign and Fallout EK and PowerEnum campaign delivering Maze ransomware and Danabot banking Trojan respectively. Later, in July 2019, they found it present with Amadey Loader distributed via RIG EK campaign as well.

Proofpoint also discovered an alleged advertisement regarding the malware, which made them believe its being sold on the “underground marketplace”.

As stated in their blog,

We found an advertisement… on an underground forum that described a malware named “socks5 backconnect system” that matched the functionality of the malware seen in the above campaigns. To differentiate from other malware leveraging SOCKS5, we dubbed the new malware “SystemBC” based on the URI path shown.

SystemBC malware Source: Proofpoint

They could also see screenshots of malware’s C&C panel, administrator panel, and the SystemBC builder with the advertisement.

Written in C++, the malware, upon reaching the victim device, creates SOCKS5 proxies to let the attackers “hide the malicious traffic associated with the other malware”.

The researchers have given a detailed technical analysis of the malware in their blog post.

A Challenging Malware To Combat

In the most recent instance, the researchers caught this malware infecting Windows systems.

The Fallout exploit is used to download the Danabot banking Trojan and a SOCKS5 proxy which is used on the victim’s Windows system to evade detection of command and control (C&C) traffic.

Owing to the unique property of hiding bad traffic and facilitating a second malware infection, the researchers deem it a challenging malware triggering new threats.

The synergy between SystemBC as a malicious proxy and mainstream malware creates new challenges for defenders relying on network edge detections to intercept and mitigate threats like banking Trojans.

Let us know your thoughts in the comments.

 

Sursa: https://latesthackingnews.com/2019/08/03/systembc-malware-paves-the-way-for-other-malware-attacks/

  • Upvote 1

Share this post


Link to post
Share on other sites

Asta e tot anuntul , 

 

Topic updated 3 August 2019

 

I sell socks5 backconnect system

 

consists of:

 

client part

 

- socks.exe - does not hide from the dispatcher. minimum load on av detekty. XP support and higher (win 10 + windows server)

- socks.dll - a separate assembly in the form of a dll (for injecting into your bot)

 

there is autorun. after rebooting the pc socks are returned.

 

otstuk about 70% after the standards crypt

 

the system works in multi-threaded mode, which gives a high increase in the speed of socks

 

Runtime scan after crypt standards https://dyncheck.com/scan/id/8772793e688ddd5a903d5b279cc30449

 

only node 32 is burning

 

360 Total Security Essential Clean

AVG Internet Security Clean

AhnLab V3 Light Clean

Avast Internet Security Clean

Avira Internet Security Clean

BitDefender Total Security

BullGuard Internet Security Clean

Comodo Internet Security Run Virtually

DrWeb Total Security Clean

Emsisoft Anti-Malware Clean

Eset Smart Security Dynamic detect after 5 sec.

F-Secure Internet Security Clean

Fortinet Smart Security Clean

Malwarebytes Anti-Malware Clean

McAfee Internet Security Clean

Panda Global Protection Clean

Sophos Anti-Virus Clean

Trend Micro Internet Security Clean

Webroot SecureAnywhere Clean

Windows Defender Clean

 

server part

 

supports installation both on win servers and on Linux (server requirements 400mb free RAM for 1 000 socks)

 

- server.exe to run on win servers

- server.out to run on Linux

- php admin

 

For software, a dedicated (non-shared) 1 gbit channel is recommended.

if they just hang and are not used - the Internet is not consumed. for stable operation each socks consumes from 1 megabit

 

fastflux bot is not supported. need normal server / vps.

 

features

 

- loader with update function every N hours by reference (for long survivability it is necessary to update the crypts every day)

 

crypt not doing. You can find on the forum. approximate price of $ 1000 per month

free setup apload crypt on your server

 

You can also use a certificate instead of a crypt. vitality increases

 

- firewall (access to socks only from trusted ip)

- authorization on socks by login and password

- GeoIP

- display of computer name / user

- adding comments for the bot

 

The bot also works at integrity level low . only in autorun in such cases will not be added

 

admin rights to run are not required.

 

GeoIP can be configured via maxmind online service (weekly database updates. latest data)

just insert id and key from maxmind

 

The system is developed in assembler. high speed minimum size

 

file weight

 

socks.exe 12kb

socks.dll 10kb

server.exe 14kb

server.out 10kb (for Linux)

 

supports regular domains and ip + .bit domains (implementation via dns request)

 

if you ship more than 1k socks, then domains / ip fall into black. It is recommended to change ip every 3 days. if you have a booze host, you can use ip instead of domain (cost about $ 10 for one ip)

 

if you have a white host, it is recommended to use domains to move if you have problems.

 

After the purchase I issue a link to the builder (10 attempts).

 

at the end of + 50 $ 1 attempt

 

screen builder http://i66.tinypic.com/5wcuax.jpg

 

admin screen

http://i63.tinypic.com/j7w4zd.jpg

http://i68.tinypic.com/szv9za.jpg

 

free setup if you have something wrong.

 

the cost of a set of $ 1000 in bitcoin (discounts are possible)

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...