Malware Functionality and Capabilities
A cyberattack tool known as SystemBC is increasingly used by threat actors to covertly route malicious traffic through compromised enterprise systems. This malware functions as a SOCKS5 proxy, backdoor, and remote access tool, allowing attackers to maintain hidden footholds. First observed around 2018 and 2019, it was initially delivered via exploit kits but has since become a widely available weapon on underground forums. SystemBC establishes encrypted connections to command-and-control servers, tunneling traffic through infected hosts to evade detection. Newer versions have shifted toward using Tor, embedding known Tor directory authority gateway addresses directly in their binaries to blend into normal network activity. The malware also transmits data using a combination of plaintext and RC4 encrypted packets, complicating analysis.
Persistence and Attack Flow
SystemBC rarely serves as the initial intrusion tool; it is typically deployed after a loader like QBot or Emotet gains access. Attackers then use it to push tools, execute commands, and maintain persistent control. Once activated, the malware copies itself into a randomly named folder under ProgramData and registers as both a scheduled task and a registry Run key entry, creating dual persistence layers that survive system reboots. It can execute EXE files, DLL modules, shellcode, and various scripts directly in memory, leaving minimal forensic evidence on compromised hosts. In one documented case, it was placed on a domain controller during a Ryuk ransomware attack, giving operators remote control over the most critical server. The malware has been linked to ransomware families including Ryuk, Conti, BlackBasta, and Rhysida.
Source: Cyber Security News
