Coroxy

Malware updated 3 months ago (2024-08-14T10:18:03.738Z)
Download STIX
Preview STIX
Coroxy is a multifaceted malware, also known as SystemBC, DroxiDat, or Proxy, that serves as a backdoor and remote access tool (RAT), adapting to the requirements of attackers. It has been associated with the Play ransomware group, and its infection chain includes various tools such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor itself. These tools are hosted on an IP address previously linked to Play ransomware attacks, which further solidifies the connection between Coroxy and this group. Black-box analysis observed the Coroxy backdoor connecting to 45[.]76[.]165[.]129, an IP address that resolves to different domains matching those registered by Prolific Puma. The Coroxy backdoor has been detected establishing connections to the aforementioned IP address, which also houses tools used in previous Play ransomware attacks. This includes PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor itself, as detailed in research by TrendMicro. The fact that different domains resolve to the IP address of the Coroxy backdoor connection suggests a complex network of malicious activities, demonstrating the sophistication of this malware operation. To further validate the link between Coroxy and the Play ransomware group, the same IP address was tested, hosting the Coroxy backdoor. The results confirmed the association, indicating that the groups behind these threats might be related or even the same. In conclusion, Coroxy represents a significant threat due to its multifunctionality and its association with known ransomware groups, making it a critical focus for cybersecurity efforts.
Description last updated: 2024-08-14T09:47:44.772Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Systembc is a possible alias for Coroxy. SystemBC is a type of malware that has been heavily utilized in various cyber attacks, including those involving the BlackBasta ransomware group in 2023. The Play ransomware actors have also been known to use SystemBC alongside other command and control (C2) applications such as Cobalt Strike and to
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
WinRAR
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Coroxy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more