Systembc

Malware updated 12 days ago (2024-11-11T15:01:28.375Z)
Download STIX
Preview STIX
SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage for ransom. This malware has been observed in use with other malware like Quicksand and BlackBasta during attacks attributed to teams deploying BlackBasta in 2023. Moreover, it's been used by Play ransomware actors who employ command and control (C2) applications, including Cobalt Strike and SystemBC, and tools like PsExec to assist with lateral movement and file execution. In addition to pilfering sensitive data, SystemBC can deliver secondary payloads such as the SystemBC proxy malware. The attackers have used compromised credentials gathered by the stealer to move between systems using WinRM and PowerShell remote control capabilities, executing a set of two scripts confirmed to be part of the proxy malware threat SystemBC. The original SystemBC file is encrypted with an XOR key, which is exposed due to the encryption of padding null bytes between PE sections. Furthermore, the SystemBC payload in update8.exe is dynamically retrieved from an encrypted resource and directly injected into a child process bearing the same name. Between May 27 and 29, 2024, an international law enforcement operation coordinated by Europol, codenamed Operation Endgame, targeted malware droppers including SystemBC, IcedID, Pikabot, Smokeloader, Bumblebee, and Trickbot. Trend Micro MDR was first alerted to the breach via Vision One Workbench alerts following the detection of a command-and-control tool identified as SYSTEMBC by the Apex One Endpoint Protection Platform (EPP) agent. The Play ransomware group used various malware tools, including SYSTEMBC, a proxy malware that delivers other payloads like ransomware, and GRIXBA, a custom tool designed to evade signature-based detections.
Description last updated: 2024-11-11T14:46:04.115Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Droxidat is a possible alias for Systembc. DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility c
4
Coroxy is a possible alias for Systembc. Coroxy is a multifaceted malware, also known as SystemBC, DroxiDat, or Proxy, that serves as a backdoor and remote access tool (RAT), adapting to the requirements of attackers. It has been associated with the Play ransomware group, and its infection chain includes various tools such as PsExec, NetSc
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Ransomware
Backdoor
Windows
Proxy
Cobalt Strike
Payload
Rat
Loader
Lateral Move...
Tool
Remcos
Phishing
Linux
Reconnaissance
Esxi
Maas
Bot
Beacon
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Smokeloader Malware is associated with Systembc. SmokeLoader is a malicious software (malware) that acts as a loader for other malware, injecting malicious code into the currently running explorer process and downloading additional payloads to the system. It has been used in conjunction with Phobos ransomware by threat actors who exploit its functUnspecified
3
The Hijackloader Malware is associated with Systembc. HijackLoader is a new and rapidly growing malware in the cybercrime community, designed to exploit and damage computer systems. This malicious software infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once infiltrated, HijackLoader can steal personal Unspecified
2
The IcedID Malware is associated with Systembc. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of dUnspecified
2
The Pikabot Malware is associated with Systembc. Pikabot is a type of malware that serves as a trojan, providing initial access to infected computers. This enables the execution of ransomware deployments, remote takeovers, and data theft. It is part of a wider array of malicious software, including IcedID, Qakbot, Gozi, DarkGate, AsyncRAT, JinxLoaUnspecified
2
The Black Basta Malware is associated with Systembc. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesUnspecified
2
The Vidar Malware is associated with Systembc. Vidar is a malicious software (malware) that primarily targets Windows systems, written in C++ and based on the Arkei stealer. It has historically been favored by threat actors who sell logs through marketplaces like 2easy, alongside other infostealers such as Raccoon, RedLine, and AZORult. The malwUnspecified
2
The Redline Stealer Malware is associated with Systembc. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects sUnspecified
2
The Amadey Malware is associated with Systembc. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Pistachio Tempest Threat Actor is associated with Systembc. Pistachio Tempest, also known as FIN12, is a threat actor that has been identified as a significant cybersecurity risk, particularly to the healthcare industry. According to a report by the U.S. Department of Health and Human Services (HHS) in 2022, this group has specifically targeted healthcare enUnspecified
2
The Rhysida Threat Actor is associated with Systembc. Rhysida is a globally active threat actor known for its ransomware operations, which have impacted a wide range of sectors, particularly the government and public sector. Their use of CleanUpLoader makes their operations highly effective and difficult to detect, as it not only facilitates persistencUnspecified
2
The Vice Society Threat Actor is associated with Systembc. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of ZeppeUnspecified
2
The FIN12 Threat Actor is associated with Systembc. FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomwareUnspecified
2
Source Document References
Information about the Systembc Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
12 days ago
Securityaffairs
a month ago
BankInfoSecurity
2 months ago
Trend Micro
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
6 months ago
DARKReading
8 months ago
CrowdStrike
8 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
Securityaffairs
9 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
a year ago
Malwarebytes
a year ago
CISA
a year ago
CERT-EU
a year ago
Securelist
a year ago
CERT-EU
a year ago