Researchers at Sophos Labs (opens in new tab) have been tracking a new ransomware tool available on underground hacking forums which has evolved into a Tor (opens in new tab) proxy and remote control tool that is now being used in the wild.
The tool is called SystemBC and it serves as a backdoor that provides attackers with a persistent connection to their victims' systems.
First observed last year, it acts as both a network proxy for concealed communications and as a remote administration tool (RAT) capable of executing Windows commands as well as delivering and executing scripts, malicious executable and dynamic link libraries (DLL).
- We've assembled a list of the best malware removal (opens in new tab) software
- These are the best disaster recovery (opens in new tab) services on the market
- Also check out our roundup of the best ransomware protection (opens in new tab)
SystemBC has evolved over the past year from acting as virtual private network (VPN (opens in new tab)) through a SOCKS5 proxy to using the Tor network to encrypt and conceal the destination of command and control traffic.
During the course of its recent investigations, Sophos MTR's Rapid Response team has seen SystemBC used in recent Ryuk (opens in new tab) and Egregor (opens in new tab) ransomware attacks, though it is often used alongside other post-exploitation tools such as Cobalt Strike (opens in new tab). However, in some cases, the SystemBC RAT was deployed to servers after attackers had gained access to administrative credentials and moved deeper into a targeted network.
When deployed, the tool will copy and schedule itself as a service but this step will be skipped if Emsisoft antivirus software (opens in new tab) is detected on a victim's system. SystemBC then establishes a connection to a command and control server using a beacon connection to a remote server based at one of two hard-coded domains.
In a new blog post (opens in new tab), senior threat researcher Sean Gallagher and threat researcher Sivagnanam Gn at Sophos provided further insight on how SystemBC now connects to the Tor network, saying:
“The Tor communications element of SystemBC appears to be based on mini-tor, an open-source library for lightweight connectivity to the Tor anonymized network. The code of mini-Tor isn’t duplicated in SystemBC (since mini-Tor is written in C++ and SystemBC is compiled from C). But the bot’s implementation of the Tor client closely resembles the implementation used in the open-source program, including its extensive use of the Windows Crypto Next Gen (CNG) API’s Base Crypto (BCrypt) functions.”
As SystemBC is often deployed as an off-the-shelf tool, its is likely that ransomware attackers are acquiring it from malware-as-a-service (opens in new tab) operations in underground forums. The tool has become increasingly popular among cybercriminals due to the fact that it allows for multiple targets to be worked at the same time.
- We've also highlighted the best endpoint protection (opens in new tab) software
Via ZDNet (opens in new tab)