Systembc

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
SystemBC is a malicious software (malware) that has been used in various cyber attacks to exploit and damage computer systems. This malware was observed in 2023, being heavily used with BlackBasta and Quicksand. It has been deployed by teams using BlackBasta during their attacks. Play ransomware actors have also utilized SystemBC along with command and control (C2) applications like Cobalt Strike and tools such as PsExec for lateral movement and file execution. In addition, the Vidar malware can deliver secondary payloads like the SystemBC proxy malware. The use of SystemBC escalated further when it was distributed via email (#9437 and #9436) as a compressed hacktool attachment. Despite law enforcement efforts, the criminal activity behind targeted botnets continues, with an active server spreading the SystemBC malware still in operation, according to malware researcher Rohit Bansal, known online as “R.” Between 27th and 29th May 2024, an international law enforcement operation coordinated by Europol, codenamed Operation Endgame, targeted malware droppers including SystemBC, but this didn't completely halt its spread. SystemBC has also been associated with other malware campaigns. During the SmartScreen campaign, SystemBC was used alongside Remcos RAT and Gozi (Ursnif) banking Trojan. Affiliates have used Linux variants of Cobalt Strike and SystemBC to perform reconnaissance of VMware ESXi servers before deploying ransomware. The IDAT loader, capable of loading various malware families including Danabot, SystemBC, and RedLine Stealer, has also been leveraged. Furthermore, threat actors identified as TA544 (Narwal Spider) have been using the IDAT Loader to deploy Remcos RAT or SystemBC malware, contributing to an escalating threat landscape.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Droxidat
4
DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility c
Coroxy
2
Coroxy, a multifaceted malware known also as SystemBC or DroxiDat, has been detected establishing connections with a specific IP address. This malicious software, capable of acting as a Proxy, Bot, Backdoor, and Remote Access Trojan (RAT), can infiltrate systems through suspicious downloads, emails,
Ta544
1
TA544 is a financially motivated, advanced persistent threat (APT) actor that has been tracked by cybersecurity firm Proofpoint and others since at least 2017. This malicious actor typically uses Ursnif malware to target organizations, predominantly in Italy and Japan. The Ursnif banking trojan, als
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Ransomware
Windows
Proxy
Backdoor
Cobalt Strike
Rat
Beacon
Remcos
Exploit
Maas
Payload
Bot
Loader
Lateral Move...
Linux
Reconnaissance
Esxi
Ransomware P...
Gbhackers
t1090.002
Malware Drop...
Vpn
Kaspersky
Loader Malware
Malware Loader
Rmm
Phishing
Encrypt
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SmokeloaderUnspecified
3
SmokeLoader is a malicious software (malware) that has been extensively used by threat actors, particularly those associated with the Phobos ransomware. It functions as a backdoor trojan, often arriving on victims' systems via spoofed email attachments embedded with hidden payloads. Once downloaded,
VidarUnspecified
2
Vidar is a Windows-based malware written in C++, derived from the Arkei stealer, which is designed to infiltrate and exploit computer systems. It has been used alongside other malware variants such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2,
Redline StealerUnspecified
2
RedLine Stealer is a malicious software that was used to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. In July 2023, Unit 42 conducted an analysis of a RedLine Stealer infection using Wireshark, a network protocol analyzer. The analysis in
AmadeyUnspecified
2
Amadey is a malicious software (malware) that has been found to be used in conjunction with other malware such as Remcos, GuLoader, and Formbook. Analysis of the infection chains revealed that the individual behind the sales of Remcos and GuLoader also uses Amadey and Formbook, using GuLoader as a p
HijackloaderUnspecified
2
HijackLoader is a new type of malware that has been rapidly gaining popularity within the cybercrime community. As with other types of malicious software, it is designed to exploit and damage computer systems. It can infiltrate these systems through suspicious downloads, emails, or websites, often u
IcedIDUnspecified
2
IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
PikabotUnspecified
2
PikaBot is a harmful malware that emerged in 2023, designed to exploit and damage computer systems. It infiltrates systems through dubious downloads, emails, or websites, often undetected by the user. Once inside a system, PikaBot can pilfer personal information, disrupt operations, or even ransom d
Vidar StealerUnspecified
1
Vidar Stealer is a form of malware, a malicious software designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold dat
IsfbUnspecified
1
ISFB, also known as Gozi or Ursnif, is a form of malware that has been a significant part of the cyberthreat landscape for several years. This malicious software is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user'
RedlineUnspecified
1
RedLine is a notorious malware, discovered in March 2020, designed to exploit computer systems and steal sensitive personal information such as login credentials, cryptocurrency wallets, and financial data. It exports this stolen data to its command-and-control infrastructure. The malware has been u
PhobosUnspecified
1
Phobos is a type of malware, specifically a ransomware, that has been a significant cause for concern in the cyber security world. This malicious software infiltrates systems through dubious downloads, emails, or websites and can cause severe damage by stealing personal information, disrupting opera
Narwal SpiderUnspecified
1
None
BumblebeeUnspecified
1
Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The sam
TrickBotUnspecified
1
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
BlackbastaUnspecified
1
BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
GootloaderUnspecified
1
GootLoader is a potent malware that forms part of the GootKit malware family, which has been active since 2014. The malware operates by exploiting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Its primary targets are professionals working in law firms
Tac5279Unspecified
1
TAC5279 is a potent malware, designed to exploit and damage computer systems. This malicious software is known to infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, TAC5279 can steal personal information, disrupt operations, or
Black BastaUnspecified
1
Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
Brute RatelUnspecified
1
Brute Ratel is a sophisticated malware variant that has been used in a series of cyber attacks targeting diplomatic staff and other sensitive targets. It's delivered through custom loaders embedded in lure documents, which are designed to trick the recipient into triggering the infection process. On
Vanilla TempestUnspecified
1
None
QakBotUnspecified
1
Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
BatloaderUnspecified
1
Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal
DarkgateUnspecified
1
DarkGate is a malicious software (malware) that poses significant threats to computer systems and data. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hos
SDBbotUnspecified
1
SDBbot is a malicious software (malware) that infiltrates computer systems typically through deceptive downloads, emails, or websites. In the context of cyber threats, it falls under the category of custom malware, used by threat groups such as GOLD TAHOE. Other common offensive security tools and c
AresloaderUnspecified
1
AresLoader is a type of malware that was first advertised for sale on the top-tier Russian-language hacking forum XSS in December 2022 by a threat actor named "DarkBLUP". This malicious software is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emai
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Vice SocietyUnspecified
2
Vice Society, a threat actor group known for its malicious activities, has been linked to a series of ransomware attacks targeting various sectors, most notably education and healthcare. Throughout 2022 and the first half of 2023, Vice Society, along with Royal Ransomware, were actively executing mu
FIN12Unspecified
2
FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware
Pistachio TempestUnspecified
2
Pistachio Tempest, also known as FIN12, is a threat actor that has been identified as a significant cybersecurity risk, particularly to the healthcare industry. According to a report by the U.S. Department of Health and Human Services (HHS) in 2022, this group has specifically targeted healthcare en
RhysidaUnspecified
2
Rhysida, a threat actor known for executing malicious cyber activities, has been responsible for numerous ransomware attacks. The group has primarily targeted businesses and healthcare organizations, with notable instances including a disruptive attack on Ann & Robert H. Lurie Children's Hospital of
DarkSideUnspecified
1
DarkSide is a notable threat actor that emerged in the cybersecurity landscape with its advanced ransomware operations. In 2021, the group gained significant attention for its attack on the United States' largest oil pipeline, Colonial Pipeline, causing a temporary halt to all operations for three d
8baseUnspecified
1
8base, a significant threat actor in the cybersecurity landscape, has been active between April 2022 and May 2023. This group, while not new, has recently increased its visibility with the activation of a public leak site used to pressure victims into paying ransoms. In the last month alone, 8base o
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ZerologonUnspecified
1
Zerologon is a critical vulnerability (CVE-2020-1472) found within Microsoft's Netlogon Remote Protocol, impacting all versions of Windows Server OS from 2008 onwards. This flaw in software design or implementation allows attackers to bypass authentication mechanisms and change computer passwords wi
Ta544 Narwal SpiderUnspecified
1
None
Source Document References
Information about the Systembc Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
2 months ago
Operation Endgame, the largest law enforcement operation ever against botnets
DARKReading
4 months ago
Hackers Posing as Law Firms Phish Global Orgs
CrowdStrike
4 months ago
The Anatomy of an ALPHA SPIDER Ransomware Attack
CERT-EU
5 months ago
Cyber Security Week in Review: March 1, 2024
CERT-EU
5 months ago
The Anatomy of an ALPHA SPIDER Ransomware Attack | #ransomware | #cybercrime | National Cyber Security Consulting
Securityaffairs
5 months ago
IDAT Loader used to infect a Ukraine entity in Finland with Remcos RAT
CERT-EU
6 months ago
JinxLoader Malware: Next-Stage Payload Threats Revealed
CERT-EU
6 months ago
The Top 10 Ransomware Groups of 2023
CERT-EU
7 months ago
New JinxLoader Targeting Users with Formbook and XLoader Malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Malwarebytes
7 months ago
Ransomware review: December 2023
CISA
7 months ago
#StopRansomware: Play Ransomware | CISA
CERT-EU
7 months ago
Play Ransomware: SafeBreach Coverage for US-CERT Alert (AA23-352A)
Securelist
8 months ago
Kaspersky malware report for Q3 2023
CERT-EU
8 months ago
Same threats, different ransomware
CERT-EU
8 months ago
SystemBC, a SWISS KNIFE Proxy Malware, Used by Numerous Ransomware Groups
CERT-EU
8 months ago
Citrix Bleed Vulnerability: Background and Recommendations - ReliaQuest
CERT-EU
9 months ago
IBM X-Force Discovers Gootloader Malware Variant- GootBot
CERT-EU
9 months ago
New ‘GootBot’ strain of Gootloader malware stokes ransomware fears    
Securelist
9 months ago
Updated MATA attacks industrial companies in Eastern Europe
CERT-EU
9 months ago
Southern African power generator targeted with DroxiDat malware | #daitngscams | #lovescams | #datingscams | #love | #relationships | #scams | #pof | #match.com | #dating | National Cyber Security Consulting