SYMBOLCOMMON_NAMEaka. SYNONYMS
win.systembc (Back to overview)

SystemBC


SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.

SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.

References
2021-06-07Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20210607:inside:6c363a7, author = {Joshua Platt and Jason Reaves}, title = {{Inside the SystemBC Malware-As-A-Service}}, date = {2021-06-07}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6}, language = {English}, urldate = {2021-06-08} } Inside the SystemBC Malware-As-A-Service
Ryuk SystemBC TrickBot
2021-05-19Intel 471Intel 471
@online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-10F-SecureCallum Roxan, Sami Ruohonen
@online{roxan:20210510:prelude:1bb57bb, author = {Callum Roxan and Sami Ruohonen}, title = {{Prelude to Ransomware: SystemBC}}, date = {2021-05-10}, organization = {F-Secure}, url = {https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/}, language = {English}, urldate = {2021-05-11} } Prelude to Ransomware: SystemBC
SystemBC
2021-04-21SophosLabs UncutSean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt
@online{gallagher:20210421:nearly:53964a7, author = {Sean Gallagher and Suriya Natarajan and Anand Aijan and Michael Wood and Sivagnanam Gn and Markel Picado and Andrew Brandt}, title = {{Nearly half of malware now use TLS to conceal communications}}, date = {2021-04-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/}, language = {English}, urldate = {2021-04-28} } Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC
2021-04-01Reversing LabsRobert Simmons
@online{simmons:20210401:code:885c081, author = {Robert Simmons}, title = {{Code Reuse Across Packers and DLL Loaders}}, date = {2021-04-01}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders}, language = {English}, urldate = {2021-04-09} } Code Reuse Across Packers and DLL Loaders
IcedID SystemBC
2021-02-25FireEyeBryce Abdo, Brendan McKeague, Van Ta
@online{abdo:20210225:so:88f3400, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html}, language = {English}, urldate = {2021-03-02} } So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-03InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210203:excel:8e949c9, author = {Brad Duncan}, title = {{Excel spreadsheets push SystemBC malware}}, date = {2021-02-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/}, language = {English}, urldate = {2021-02-04} } Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC
2020-12-16SophosLabs UncutSean Gallagher, Sivagnanam Gn
@online{gallagher:20201216:ransomware:0b0fdf2, author = {Sean Gallagher and Sivagnanam Gn}, title = {{Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor}}, date = {2020-12-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/12/16/systembc/}, language = {English}, urldate = {2020-12-17} } Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor
SystemBC
2020-10-14SophosSean Gallagher
@online{gallagher:20201014:theyre:99f5d1e, author = {Sean Gallagher}, title = {{They’re back: inside a new Ryuk ransomware attack}}, date = {2020-10-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-16} } They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC
2019-07-31ProofpointKade Harmon, Kafeine, Dennis Schwarz, Proofpoint Threat Insight Team
@online{harmon:20190731:systembc:d98f03c, author = {Kade Harmon and Kafeine and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits}}, date = {2019-07-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits}, language = {English}, urldate = {2019-12-20} } SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits
SystemBC
Yara Rules
[TLP:WHITE] win_systembc_auto (20211008 | Detects win.systembc.)
rule win_systembc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.systembc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? eb08 43 3b5dfc }
            // n = 4, score = 800
            //   e8????????           |                     
            //   eb08                 | jmp                 0xa
            //   43                   | inc                 ebx
            //   3b5dfc               | cmp                 ebx, dword ptr [ebp - 4]

        $sequence_1 = { bf00000000 8bc7 5e 5f 5b c9 c20400 }
            // n = 7, score = 800
            //   bf00000000           | mov                 edi, 0
            //   8bc7                 | mov                 eax, edi
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c20400               | ret                 4

        $sequence_2 = { 8b968c010000 8bb690010000 8945e4 895df4 894dec }
            // n = 5, score = 800
            //   8b968c010000         | mov                 edx, dword ptr [esi + 0x18c]
            //   8bb690010000         | mov                 esi, dword ptr [esi + 0x190]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx

        $sequence_3 = { eb02 3007 49 837d0cfe 751c }
            // n = 5, score = 800
            //   eb02                 | jmp                 4
            //   3007                 | xor                 byte ptr [edi], al
            //   49                   | dec                 ecx
            //   837d0cfe             | cmp                 dword ptr [ebp + 0xc], -2
            //   751c                 | jne                 0x1e

        $sequence_4 = { 8b4de8 03d6 03c6 03ca 3bc2 762f 3bc1 }
            // n = 7, score = 800
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   03d6                 | add                 edx, esi
            //   03c6                 | add                 eax, esi
            //   03ca                 | add                 ecx, edx
            //   3bc2                 | cmp                 eax, edx
            //   762f                 | jbe                 0x31
            //   3bc1                 | cmp                 eax, ecx

        $sequence_5 = { 2b7d08 4f 4f 8bc7 5e 5f }
            // n = 6, score = 800
            //   2b7d08               | sub                 edi, dword ptr [ebp + 8]
            //   4f                   | dec                 edi
            //   4f                   | dec                 edi
            //   8bc7                 | mov                 eax, edi
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

        $sequence_6 = { 8bf8 8d851cf4ffff 50 6800010000 57 ffb530f4ffff 68???????? }
            // n = 7, score = 800
            //   8bf8                 | mov                 edi, eax
            //   8d851cf4ffff         | lea                 eax, dword ptr [ebp - 0xbe4]
            //   50                   | push                eax
            //   6800010000           | push                0x100
            //   57                   | push                edi
            //   ffb530f4ffff         | push                dword ptr [ebp - 0xbd0]
            //   68????????           |                     

        $sequence_7 = { 4f 4f 8bc7 5e 5f 5b c9 }
            // n = 7, score = 800
            //   4f                   | dec                 edi
            //   4f                   | dec                 edi
            //   8bc7                 | mov                 eax, edi
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   c9                   | leave               

        $sequence_8 = { 7510 8b943088000000 8b8c308c000000 eb08 8b543078 8b4c307c 8955ec }
            // n = 7, score = 800
            //   7510                 | jne                 0x12
            //   8b943088000000       | mov                 edx, dword ptr [eax + esi + 0x88]
            //   8b8c308c000000       | mov                 ecx, dword ptr [eax + esi + 0x8c]
            //   eb08                 | jmp                 0xa
            //   8b543078             | mov                 edx, dword ptr [eax + esi + 0x78]
            //   8b4c307c             | mov                 ecx, dword ptr [eax + esi + 0x7c]
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx

        $sequence_9 = { 43 3b5dfc 7296 33c0 5e }
            // n = 5, score = 800
            //   43                   | inc                 ebx
            //   3b5dfc               | cmp                 ebx, dword ptr [ebp - 4]
            //   7296                 | jb                  0xffffff98
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 57344
}
Download all Yara Rules