Throughout Q2 and Q3 2023, Kroll has observed an increased use of the malicious “SYSTEMBC” tool to maintain access in a compromised network. SYSTEMBC was first observed in the wild in 2018 with its core functionality revolving around its ability to act as SOCKS5 proxy. This provides a useful capability for threat actors as a persistent access mechanism or for purposes of leaving behind a backdoor in case of discovery of their initial access method. The SOCKS protocol allows for a threat actor to access a victim network almost as if their workstation was directly connected. The tool has been leveraged by a number of threat actors across several campaigns as well as used alongside many malware families, including RHYSIDIA, BLACKBASTA, CUBA, GOOTLOADER, COBALTSTRIKE and EMOTET.
SYSTEMBC can be purchased on underground marketplaces and is supplied in an archive containing the implant, a command-and-control (C2) server, and a web administration portal written in PHP.
The Kroll Cyber Threat Intelligence (CTI) team conducted research into SYSTEMBC, focusing on its C2 server.
Name | Type | Content |
---|---|---|
.settings | Binary | Contains all the information regarding the interaction of the implant as a proxy |
_loader Binary | Binary | Contains information and history of the interaction of the implant with regards to loader functionality and shellcode |
.comments | ASCII | Contains comments and notes assigned to an implant/victim. |
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.
Kroll’s Malware Analysis and Reverse Engineering team draws from decades of private and public-sector experience, across all industries, to deliver actionable findings through in-depth technical analysis of benign and malicious code.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
World-renowned cyber investigators and leading technology fuel Kroll’s managed security services, augmenting security operations centres and incident response capabilities.