SystemBC Malware Conceals C2 Traffic for Persistent Access
Key Takeaways SystemBC, also known as Coroxy, is a sophisticated Windows malware acting as a SOCKS5 proxy, backdoor, and remote access tool. It stealthily routes malicious command-and-control (C2)...
Key Takeaways
- SystemBC, also known as Coroxy, is a sophisticated Windows malware acting as a SOCKS5 proxy, backdoor, and remote access tool.
- It stealthily routes malicious command-and-control (C2) traffic through infected systems, making detection challenging.
- The malware has been consistently linked to major ransomware operations, including Ryuk, Conti, and BlackBasta.
- Newer versions leverage the Tor network for C2 communications, further enhancing its ability to evade detection.
- Organizations should focus on behavior-based detection and regularly simulate attacks to identify and remediate security gaps.
A potent cyberattack tool, SystemBC, has been increasingly observed establishing covert communication channels within enterprise networks. This malware transforms compromised machines into proxies for illicit traffic, allowing threat actors to maintain persistent, hidden access. Security researchers have connected SystemBC to some of the most impactful ransomware campaigns in recent history.
SystemBC, also identified as Coroxy, functions as a multi-faceted Windows malware, combining the capabilities of a SOCKS5 proxy, a backdoor, and a remote access tool. Its primary objective is to provide cybercriminals with an unnoticeable foothold inside targeted environments, enabling them to funnel malicious traffic through unsuspecting hosts without immediate detection. This capability is detailed in a comprehensive analysis by security experts. You can review the full report here.
First detected between 2018 and 2019, SystemBC initially served as a payload delivered by prominent exploit kits such as RIG and Fallout. Over time, it has evolved into a widely traded commodity on dark web forums, becoming a staple tool for numerous criminal organizations. This widespread adoption underscores its effectiveness and versatility in the cybercrime ecosystem. Further details on this evolution can be found in this report.
According to Picus, in a report shared with Cyber Security News (CSN), SystemBC acts as a persistent backdoor and proxy. It transforms infected machines into conduits for malicious traffic while simultaneously executing commands, scripts, and binaries dispatched from attacker-controlled servers. This malware has been implicated in breaches involving notorious ransomware families such as Ryuk, Egregor, Conti, BlackBasta, Play, and Rhysida, solidifying its role in some of the most devastating cyberattacks of recent years. The full report can be found <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/7da479c4-56a9-483b-9285-d6fb794b2c0e/Hackers-Use-SystemBC-Malware-to-Hide-C2-Traffic-and-Maintain-Persistent-Access.pdf?AWSAccessKeyId=ASIA2F3EMEYEX2WMFDEZ&Signature=yZBtOe6S6kNfWdjYXJwJt2qbneg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEPz%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIAufwrbguFlU3iEU8lVRH4Qn7D43%2FQHCbOEHSBCQBiCkAiEAt3yfnHj0%2BKKmPGKsy4fIUalViYVkYje8esyx7S7Vaa4q%2FAQIxf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDJEK%2BNWhGcVFcPnWMyrQBEjTgUHt5BrdK4kf6AZQkX9zDdQ7tFf7%2FmAk1Dv9YE8vNTvUgBo%2FgFmElJq3bw5eqrCMo7DPMHMHtak%2B1hLdv%2Fkm%2B%2BoDiPKfACGJ4ItJ1dcylJXF0xGclywSOi9ZbhqvMkNuYyAhZw8u4uaSFN03YoAzao3cS4gh63Jt%2BZKW3v%2FhNTI7Laeqt8MMJrMSIyHISJgopaBA9%2BAHOSu9AOI%2FvqiW28CLy8w4sO3uwAJVso4dSCy9b9DqyOLEq%2FYBYwapK08ZnJ8CMiTbevXYypLb7wxOylDG6SXYuPP10OEO
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.