SYMBOLCOMMON_NAMEaka. SYNONYMS
win.systembc (Back to overview)

SystemBC


SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.

SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.

References
2021-06-07Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20210607:inside:6c363a7, author = {Joshua Platt and Jason Reaves}, title = {{Inside the SystemBC Malware-As-A-Service}}, date = {2021-06-07}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6}, language = {English}, urldate = {2021-06-08} } Inside the SystemBC Malware-As-A-Service
Ryuk SystemBC TrickBot
2021-05-19Intel 471Intel 471
@online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-10F-SecureCallum Roxan, Sami Ruohonen
@online{roxan:20210510:prelude:1bb57bb, author = {Callum Roxan and Sami Ruohonen}, title = {{Prelude to Ransomware: SystemBC}}, date = {2021-05-10}, organization = {F-Secure}, url = {https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/}, language = {English}, urldate = {2021-05-11} } Prelude to Ransomware: SystemBC
SystemBC
2021-04-21SophosLabs UncutSean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt
@online{gallagher:20210421:nearly:53964a7, author = {Sean Gallagher and Suriya Natarajan and Anand Aijan and Michael Wood and Sivagnanam Gn and Markel Picado and Andrew Brandt}, title = {{Nearly half of malware now use TLS to conceal communications}}, date = {2021-04-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/}, language = {English}, urldate = {2021-04-28} } Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC
2021-04-01Reversing LabsRobert Simmons
@online{simmons:20210401:code:885c081, author = {Robert Simmons}, title = {{Code Reuse Across Packers and DLL Loaders}}, date = {2021-04-01}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders}, language = {English}, urldate = {2021-04-09} } Code Reuse Across Packers and DLL Loaders
IcedID SystemBC
2021-02-25FireEyeBryce Abdo, Brendan McKeague, Van Ta
@online{abdo:20210225:so:88f3400, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html}, language = {English}, urldate = {2021-03-02} } So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-03InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210203:excel:8e949c9, author = {Brad Duncan}, title = {{Excel spreadsheets push SystemBC malware}}, date = {2021-02-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/}, language = {English}, urldate = {2021-02-04} } Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC
2020-12-16SophosLabs UncutSean Gallagher, Sivagnanam Gn
@online{gallagher:20201216:ransomware:0b0fdf2, author = {Sean Gallagher and Sivagnanam Gn}, title = {{Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor}}, date = {2020-12-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/12/16/systembc/}, language = {English}, urldate = {2020-12-17} } Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor
SystemBC
2020-10-14SophosSean Gallagher
@online{gallagher:20201014:theyre:99f5d1e, author = {Sean Gallagher}, title = {{They’re back: inside a new Ryuk ransomware attack}}, date = {2020-10-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-16} } They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC
2019-07-31ProofpointKade Harmon, Kafeine, Dennis Schwarz, Proofpoint Threat Insight Team
@online{harmon:20190731:systembc:d98f03c, author = {Kade Harmon and Kafeine and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits}}, date = {2019-07-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits}, language = {English}, urldate = {2019-12-20} } SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits
SystemBC
Yara Rules
[TLP:WHITE] win_systembc_auto (20210616 | Detects win.systembc.)
rule win_systembc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.systembc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 668b9554f9ffff 6a00 6a00 6a03 6a00 6a00 }
            // n = 6, score = 800
            //   668b9554f9ffff       | mov                 dx, word ptr [ebp - 0x6ac]
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_1 = { 6800020000 e8???????? 57 e8???????? 8d3c38 66b85c00 }
            // n = 6, score = 800
            //   6800020000           | push                0x200
            //   e8????????           |                     
            //   57                   | push                edi
            //   e8????????           |                     
            //   8d3c38               | lea                 edi, dword ptr [eax + edi]
            //   66b85c00             | mov                 ax, 0x5c

        $sequence_2 = { ff75fc e8???????? ff75fc e8???????? 5e 5f }
            // n = 6, score = 800
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

        $sequence_3 = { 4f 8bc7 5e 5f }
            // n = 4, score = 800
            //   4f                   | dec                 edi
            //   8bc7                 | mov                 eax, edi
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

        $sequence_4 = { 8b85f4feffff eb03 8b4618 5e 5f 5b c9 }
            // n = 7, score = 800
            //   8b85f4feffff         | mov                 eax, dword ptr [ebp - 0x10c]
            //   eb03                 | jmp                 5
            //   8b4618               | mov                 eax, dword ptr [esi + 0x18]
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   c9                   | leave               

        $sequence_5 = { 8b450c ab 8b4514 ab }
            // n = 4, score = 800
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_6 = { 74f4 368a942900fcffff 02043b 02c2 368ab42800fcffff 3688b42900fcffff 3688942800fcffff }
            // n = 7, score = 800
            //   74f4                 | je                  0xfffffff6
            //   368a942900fcffff     | mov                 dl, byte ptr ss:[ecx + ebp - 0x400]
            //   02043b               | add                 al, byte ptr [ebx + edi]
            //   02c2                 | add                 al, dl
            //   368ab42800fcffff     | mov                 dh, byte ptr ss:[eax + ebp - 0x400]
            //   3688b42900fcffff     | mov                 byte ptr ss:[ecx + ebp - 0x400], dh
            //   3688942800fcffff     | mov                 byte ptr ss:[eax + ebp - 0x400], dl

        $sequence_7 = { e8???????? 8d5804 6a18 e8???????? 83c061 aa }
            // n = 6, score = 800
            //   e8????????           |                     
            //   8d5804               | lea                 ebx, dword ptr [eax + 4]
            //   6a18                 | push                0x18
            //   e8????????           |                     
            //   83c061               | add                 eax, 0x61
            //   aa                   | stosb               byte ptr es:[edi], al

        $sequence_8 = { eb08 43 3b5dfc 7296 }
            // n = 4, score = 800
            //   eb08                 | jmp                 0xa
            //   43                   | inc                 ebx
            //   3b5dfc               | cmp                 ebx, dword ptr [ebp - 4]
            //   7296                 | jb                  0xffffff98

        $sequence_9 = { 8b4618 5e 5f 5b c9 c20400 }
            // n = 6, score = 800
            //   8b4618               | mov                 eax, dword ptr [esi + 0x18]
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c20400               | ret                 4

    condition:
        7 of them and filesize < 57344
}
Download all Yara Rules