In the world of cybersecurity, hackers are using specialized tools to maintain unauthorized access to compromised networks, enabling them to extract sensitive information from these systems. According to cybersecurity researchers at Kroll, a malicious “SYSTEMBC” tool has been actively exploited by hackers.
Kroll has observed a significant rise in the use of the SYSTEMBC tool for network access in the second and third quarters of 2023. This tool, first identified in 2018, acts as a SOCKS5 proxy that provides threat actors with persistent access or a backdoor. It is also being used by various threat actors in different campaigns and alongside a multitude of malware families, including RHYSIDIA, BLACKBASTA, CUBA, GOOTLOADER, COBALTSTRIKE, and EMOTET.
The SYSTEMBC tool can be purchased on the dark web, and it includes malware, a C2 server, and a PHP admin portal. Kroll’s CTI team explored its C2 server and found that it has English and Russian setup instructions. The server.exe and server.out are for Windows and Linux, respectively, and focus has been put on the Linux server, which opens ports for IPC and C2 traffic, with active implants having ports ranging from 4001 to 49151. The binary contains configuration details with labeled and padded port strings to easily identify the ports. It also hints at possible Assembly code in the Linux Server binary and uses PHP heavily in the rigid PHP panel script.
The core functionalities of SYSTEMBC include SOCKS5, loader functionality, and module loading. This tool poses a significant threat, as RHYSIDA ransomware groups often use it to maintain access post-compromise. In a healthcare case, compromised credentials and a Citrix NetScaler vulnerability allowed SYSTEMBC deployment, enabling threat actors to perform further attacks with tools like Advanced Port Scanner, AnyDesk, and MegaSync. However, successful encryption also led to password changes, blocking IT access.
The discovery of the malicious SYSTEMBC tool highlights the evolving and sophisticated nature of cyber threats. Hackers are constantly adapting and using these tools to maintain unauthorized access to networks, highlighting the importance of robust cybersecurity measures and constant vigilance to detect and prevent such threats. As organizations and individuals continue to rely heavily on digital systems and networks, the need for strong cybersecurity practices has never been more critical. It is essential for all stakeholders to work together to combat these evolving risks and protect sensitive information from falling into the wrong hands.