Cybersecurity experts have unearthed crucial data about the command-and-control (C2) server of a well-known type of malware known as SystemBC. The SystemBC malware, which first appeared in 2018, is available for purchasing on the dark web and comes with an archive comprising the implant, a C2 server, and a web administration portal written in PHP, according to an analysis published by Kroll, a risk and financial advisory solutions provider.
The experts from Kroll noted that an uptick in the use of malware has been observed during the second and third quarters of 2023. SystemBC is designed to enable cybercriminals to establish remote control over a compromised host and deploy additional malicious payloads such as trojans, Cobalt Strike, and ransomware. Moreover, it possesses the capability to support the deployment of additional modules on the fly to enhance its core capabilities.
One of the standout features of this malware is its utilization of SOCKS5 proxies to conceal network traffic to and from the C2 infrastructure, serving as a persistent access mechanism for post-exploitation. This enables threat actors to maintain a low profile while carrying out their malicious activities.
Individuals who purchase the SystemBC malware are provided with an installation package that includes the implant executable, Windows and Linux binaries for the C2 server, and a PHP file for rendering the C2 panel interface, along with instructions in both English and Russian for execution.
The C2 server executables “server.exe” for Windows and “server.out” for Linux are engineered to open at least three TCP ports to facilitate C2 traffic, inter-process communication (IPC) between itself and the PHP-based panel interface, and one port for each active implant (or bot). Furthermore, the server component uses three other files to record information about the interaction of the implant as a proxy and a loader, as well as details pertaining to the victims.
The PHP-based panel acts as a simple conduit to execute shellcodes and arbitrary files on a victim machine. Notably, it possesses full remote capabilities that can be injected into the implant at runtime, making it less obvious than spawning cmd.exe for a reverse shell.
In other related research, Kroll also shared an analysis of a revised version of DarkGate (version 5.2.3), a remote access trojan (RAT) that allows attackers to compromise victim systems, extract sensitive data, and distribute additional malware. The version of DarkGate that was analyzed implements a custom Base64 alphabet, but Kroll stated that a weakness in the alphabet allows forensic analysts to decode the configuration and keylogger files without needing to first determine the hardware ID. These keylogger output files contain keystrokes stolen by DarkGate, including sensitive information such as passwords and composed emails.
The identification of these crucial details underlines the importance of cybersecurity vigilance and the need for sophisticated defenses to protect organizations and individuals against these ever-evolving threats.
To stay updated on the latest cybersecurity news and analysis, readers can follow The Hacker News on Twitter and LinkedIn for exclusive content.
The original source of this article can be found at https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html.