Sophos, one of world’s integrated security products & solutions Sophos has found out that ransomware syndicates make use of SystemBC malware as an off-the-shelf tor as a backdoor for entering the information infrastructure of enterprises & organizations
In a recent revelation, Sophos, one of world’s integrated security products & solutions providers, has come out with the fact that ransomware syndicates make use of SystemBC malware as a off-the-shelf tor as a backdoor for entering the information infrastructure of enterprises & organizations. The research shows how SystemBChas developed into a fully-fledged remote access tool that acts as a tor proxy and is being used in ransomware-as-a-service attacks for communications, data exfiltration and the download and execution of malicious modules.
“We’re increasingly seeing ransomware operators outsource the deployment of ransomware to affiliates using commodity malware and attack tools”, said Sean Gallagher, Senior Security Researchers, Sophos. “SystemBC is a regular part of recent ransomware attackers’ tool kits— Sophos has detected hundreds of attempted SystemBC deployments worldwide over the last few months. The backdoor can be used in combination with other scripts and malware to perform discovery, exfiltration and lateral movement in an automated way across multiple targets. These SystemBC capabilities were originally intended for widespread commodity malware, but they have now been folded into the toolkit for targeted attacks—including ransomware”, elaborated Gallagher.
SystemBC is a regular part of recent ransomware attackers’ tool kits— Sophos has detected hundreds of attempted SystemBC deployments worldwide over the last few months. The backdoor can be used in combination with other scripts and malware to perform discovery, exfiltration and lateral movement in an automated way across multiple targets. These SystemBC capabilities were originally intended for widespread commodity malware, but they have now been folded into the toolkit for targeted attacks—including ransomware.
Sean Gallagher
Senior Security Researchers
Sophos
Sophos’ research is based on investigations into recent ransomware-as-a-service attacks involving Ryuk and Egregor, which all deployed SystemBC. The investigations show that SystemBC is used in combination with differentcommodity tools, creating a diverse profile of tactics, techniques and procedures (TTPs). For instance, in some of theRyuk attacks investigatedSystemBC was deployed alongside Buer Loader malware, while other attacks in the same campaign used Bazar or Zloader. The Egregor attacks that Sophos investigated used SystemBC together with Qbot.
SystemBC was first discovered in 2019, operating like a ‘virtual private network’ via a SOCKS5 proxy. A year on, the upgraded version analysed by Sophos provides attackers with a persistent backdoor that automates number of key activities so that operators can launch multiple attacks without the need for hands-on-keyboard activity. It can execute Windows commands passed over the Tor connection, as well as deliver and execute scripts, malicious executables and dynamic link libraries (DLLs).
Qaisar
