Skip to main content

SystemBC Proxy Malware

SystemBC is a widely used proxy malware used by a variety of threat actors ranging from small cybercrime groups to larger nation-state actors. It has been discovered as a secondary implant in ransomware, backdoor, and spyware campaigns.

Threat ID:
CC-3169
Threat Severity:
Low
Threat Vector:
Exploit
Published:
6 August 2019 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

SystemBC is a widely used proxy malware used by a variety of threat actors ranging from small cybercrime groups to larger nation-state actors. It has been discovered as a secondary implant in ransomware, backdoor, and spyware campaigns.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

First observed in early 2019, SystemBC is a proxy malware associated with a number of other threats including Brushaloader, Danabot, and AZORult.

Delivery & activities

SystemBC is typically delivered via exploit kit such as Fallout and RIG as a secondary payload once the primary payload has been installed. When executed, it will create a new SOCKS5 proxy to route the primary payload's command and control communications through in order to prevent detection.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

IP addresses

  • 45.141.84[.]223:4132
  • 79.141.166[.]158:4124
Host indicators

SHA1 hashes

  • 95b78f4d3602aeea4f7a33c9f1b49a97
  • 0378897e4ec1d1ee4637cff110635141
  • c803200ad4b9f91659e58f0617f0dafa
  • ad4d445091a3b66af765a1d653fd1eb7
  • 9ecf25b1e9be0b20822fe25269fa5d02
  • e319f5a8fe496c0c8247e27c3469b20d
  • a8a7059278d82ce55949168fcd1ddde4
  • aea530f8a0645419ce0abe1bf2dc1584
  • 3098fbc98e90d91805717d7a4f946c27

Last edited: 11 January 2022 9:05 am