#systembc

Silent Push tracked over 10,000 global IPs infected with SystemBC, a botnet acting as a proxy and backdoor, including new Perl variants and historical ransomware deployment.

Source: Silent Push

SystemBC is a form of malware that turns devices into SOCKS5 proxies for botnet delivery. It was one of the targets of the major disruption campaign Operation Endgame, during its season in May 2024, but while it’s been diminished, it’s not gone. In fact, Silent Push published an article detailing their newest research findings on the malware over the weekend.

To better understand why SystemBC is a problem, let’s take a look at how it works. What is SOCKS/SOCKS5, anyway?

Sometimes attributed to meaning ‘socket secure’, SOCKS is an internet protocol that exchanges network packets between a client and server through a proxy server. It is used to transfer TCP connections to an arbitrary IP address and provides a means for UDP packets to be forwarded. TCP – transmission control protocol – and UDP – user datagram protocol – are two variations of web packaging. When I’m looking at packet captures, these two forms of communication are high on my list for tracking, as they can easily be subverted for the delivery of malicious code. UDP is especially one that I keep an eye on, since it requires no handshake between systems to be delivered and is therefore inherently insecure. These protocols themselves are simply the route by which traffic online moves and have no protections for or against whatever that traffic might be. That’s where SOCKS comes into play, as it routes this traffic into known ports, which are then subject to verification by whatever security a device is running.

SystemBC, also known as ‘Coroxy’ or ‘DroxiDat’, infects compromised devices by hijacking the SOCKS protocol to maintain backdoor access and persistence to deliver its payload. Silent Push’s article notes that the current payload is unknown; their research was focused more on the prevalence of incursions. Despite being targeted by Operation Endgame, the malware family appears to still be in active development. The research team found over 10K unique IP’s infected and used as proxies with global distribution, with nearly a quarter of them located in the US. They also discovered a previously unseen variant written in Perl designed specifically to infect Linux systems that had yet to be flagged by any anti-viral listings or software.

The proxies tend to be hosting platforms rather than residential ones, like those used with Aisuru-Kimwolf for example. Which is why the relatively low number of victims is still of significance. Each of those hosts becomes a hub, and every client they are connected to downstream is potentially compromised due to that connection, including several government domains around the world. There is evidence as well of intrusions in WordPress websites, based on reported IP infections listed in VirusTotal, an independent resource for tracking known malware.

SystemBC is one the families that can be hard to detect due to its evasion tactics, but Silent Push has compiled a list of known factors and behaviors for mitigating infection, as well as specific hashes and IP’s, that are included in their article. Prevention, however, remains the best medicine. Proactive defense in the form of good anti-malware software and dedicated threat hunting are the best way to go.