A new malware inflicting Windows systems has been documented by security researchers. Dubbed as ‘SystemBC’ by researchers from Proofpoint, the malware was spotted on May 2019 and was found to be delivered through attack campaigns associated with Fallout Exploit Kit, Danabot trojan and the RIG Exploit Kit.
The malware is also believed to have connections with Brushaloader and related malware.
A new piece of malware dubbed SystemBC has disclosed “a previously undocumented malware”.
The malware was tracked as “SystemBC” based on the URI path shown in the advertisement’s panel screenshots.
According to a report by ZDNet, SystemBC is essentially an on-demand proxy component for malware operators, which they can deploy on compromised systems to hide malicious traffic.
SOCKS5 Proxies
The malware hides malicious network traffic using SOCKS5 proxies that set up on compromised PCs.
SystemBC is written in C++ and primarily sets up SOCKS5 proxies on victim computers that can then be used by threat actors to tunnel/hide the malicious traffic associated with other malware, according to Proofpoint.
The use of SOCKS5 proxies was observed several times by malware researchers, it allows to avoid detection bypassing security measures that identify malicious traffic. SOCKS5 proxies also allow hiding Command & Control servers making takedowns. SystemBC communicates with C2 server via HTTPs connections.
The most recently analyzed sample of SystemBC uses the Fallout Exploit to deliver the Danabot banking Trojan.
The malware is reportedly sold in an underground marketplace with the name “socks5 back-connect system”.
It uses the standard RC4 encryption in its C2 server communications. The researchers analyzed a communication packet and found four pieces of information. It included a plaintext RC4 key, Windows build ID, an account name in the device, and a Boolean for checking if the machine is an x64-based processor.
Analysis
Before Proofpoint’s report was published, security researchers have also detected samples.
The attackers behind the campaigns distributing SystemBC use the exploit kits which drop the proxy malware to also infect their victims with other well-known malicious payloads such as the modular Danabot banking Trojan.
SystemBC was observed by Proofpoint’s researchers while spreading to potential targets via several Fallout EK powered campaigns during June and July.
On June 4, one of the malicious campaigns used Malvertising to distribute the SystemBC samples.
On June 6, 2019, Proofpoint researchers observed the new proxy malware in the wild again. This time it was being delivered via a Fallout EK and PowerEnum campaign alongside an instance of the Danabot banking Trojan.
Between July 18 and 22, 2019, Proofpoint researchers observed the proxy malware a third time. This time it was being distributed by the Amadey Loader, which itself was being distributed in a RIG EK campaign.
Other security researchers have also observed the malware being used in the wild. Notably, Vitali Kremez saw a sample of the malware on May 2, 2019, and @nao_sec observed it in connection within a third Fallout EK campaign on July 13, 2019.
SystemBC Malware Removal
If SystemBC Malware in Windows, continue with the guide below.
Step 1: Some of the steps will likely require you to exit the page. Bookmark it for later reference.
Reboot in Safe Mode.
Step 2: Warning! Read carefully before proceeding!
Press CTRL + SHIFT + ESC at the same time and go to the Processes Tab. Try to determine which processes are dangerous.
Right click on each of them and select Open File Location. Then scan the files with our free online virus scanner.
After open their folder, end the processes that are infected, then delete their folders.
(Note: If you are sure something is part of the infection – delete it, even if the scanner doesn’t flag it. No anti-virus program can detect all infections.)
Step 3: Hold together the Start Key and R. Type appwiz.cpl –> OK.
You are now in the Control Panel. Look for suspicious entries. Uninstall it/them. If there see a screen like this when you click Uninstall, choose NO:
Step 4: Type msconfig in the search field and hit enter. A window will pop-up:
Startup —> Uncheck entries that have “Unknown” as Manufacturer or otherwise look suspicious.
Remember this step – if you have reason to believe a bigger threat (like ransomware) is on your PC, check everything here.
Hold the Start Key and R – copy + paste the following and click OK:
notepad %windir%/system32/Drivers/etc/hosts
A new file will open. If you are hacked, there will be a bunch of other IPs connected.
Step 5: Type Regedit in the windows search field and press Enter.
Once inside, press CTRL and F together and type the virus’s Name. Right-click and delete any entries you find with a similar name. If they don’t show up this way, go manually to these directories and delete/uninstall them:
- HKEY_CURRENT_USER—-Software—–Random Directory. It could be any one of them – ask us if you can’t discern which ones are malicious.
- HKEY_CURRENT_USER—-Software—Microsoft—-Windows—CurrentVersion—Run– Random
- HKEY_CURRENT_USER—-Software—Microsoft—Internet Explorer—-Main—- Random
Summary
| Name | SystemBC |
| Type | Trojan |
| Danger Level | High (Trojan are used as a Backdoor for Ransomware) |
| Symptoms | A Trojan may cause many different types of system disturbance – BSOD, System errors, Software failure, etc… |
| Distribution Method | Pirated content and misleading ads are oftentimes the preferred tools of Trojan Horse distribution. |
| Detection Tool | SystemBC may reinstall itself multiple times if you don’t delete its core files. We recommend downloading SpyHunter to scan for malicious programs. |