New SystemBC malware sets proxies to hide malicious traffic

New malware strain brings in the secondary payload after using Fallout and RIG EKs for the initial infection

Security researchers spotted a new proxy malware SystemBC being spread via exploit kits - it can mask malicious traffic of other malware and disguise its presence from security software

Security researchers from Proofpoint published^[1] an analysis report of a new malware strain dubbed SystemBC – a proxy malware^[2] written in C++ that is capable of hiding malicious traffic. The malware is actively being distributed with the help of RIG and Fallout exploit kits, and the infection rate spikes where the Windows operating system installers are often pirated.

Unfortunately, SystemBC does not come alone and is often accompanied by a secondary payload. The sample analyzed by the security researchers came together with a well-known banking trojan Danabot, although previous findings in October 2018 also linked SystemBC to other malware, such as AZORult.^[3]

Proofpoint explained the operation of the newly-discovered malware:

The new malware utilizes SOCKS5 proxies to mask network traffic to and from Command and Control (C&C) infrastructure using secure HTTP connections for well-known banking Trojans such as Danabot, which we have also observed distributed in the same EK campaigns.

Several campaigns were noticed by security researchers during June and July of 2019

Proofpoint Threat Insight team discovered SystemBC proxy malware on June 4th, when analyzing Fallout EK campaign, which at the time was spreading Maze ransomware.^[4] Two days later, the virus was seen being distributed using Fallout and PowerEnum and incorporated the modular banking trojan Danabot.

At the end of July, the research team observed the campaign again, and this time it was distributed by the Amadey Loader malware, which on itself uses RIG EK for its distribution.

Before Proofpoint started the analysis, however, other researchers have also have analyzed SystemBC malware samples and published their findings on Twitter.^[5]

Once SystemBC infects the system, it sets up a SOCKS5 proxy that allows it to bypass Windows Firewall detection of malicious Command and Control traffic. Additionally, with the help of proxy component, the malware is capable of bypassing internet content filters or contacting its own C2 server without disclosing its IP address.

SystemBC is being actively distributed on underground forums

Proofpoint research team believes that SystemBC is actively being distributed on the underground forums, as they spotted an ad that tried to sell malware called “socks5 backconnect system,” and it matched the functionality of the sample they analyzed in July. Additionally, the fact that the malware is being distributed with other threats in multiple campaigns indicates different criminal group involvement.

Researchers also noted the origin of the name given to the malware string once the ad was spotted on the black market:

To differentiate from other malware levering SOCKS5, we dubbed the new malware 'SystemBC' based on the URI path shown in the advertisement’s panel screenshots

In the ad, researchers could also see the offered features, such as C2 panel that displays a list of victim computers, automatic updates, and built-in authentication.

The infection count is due to rise if no adequate protection measures are used

SystemBC is capable of masking the traffic that relates to activities of other malware strings, which means that its propagation is highly likely to increase in the future. Additionally, the presence of the infection means that other malware is residing on the machine – performing malicious activities in the background.

Proofpoint researchers say that SOCKS5 proxy malware can create new challenges to various organizations, as they often rely on network detections to prevent infiltrations of malicious banking trojans.

Nevertheless, with a heightened sense of security, SystemBC can be avoided:

Proofpoint recommends that organizations continue to remain vigilant in keeping their Windows client and server operating systems as well as infrastructure devices patched with vendor-recommended updates and patches, to retire the use of legacy systems which use susceptible browser plugins such as Adobe Flash Player, and to retire legacy Windows systems that may be susceptible to exploit kits such as Fallout.