Systembc

Malware updated 23 days ago (2024-08-15T12:17:43.187Z)

Download STIX

Preview STIX

SystemBC is a type of malware, or malicious software, that has been heavily utilized in cyber-attacks and data breaches. Throughout 2023, it was frequently used in conjunction with other malware like Quicksand and BlackBasta by cybercriminals to exploit vulnerabilities in computer systems. Play ransomware actors leveraged command and control (C2) applications such as Cobalt Strike and SystemBC, along with tools like PsExec, to aid lateral movement and file execution. The SystemBC payload was dynamically retrieved from an encrypted resource and directly injected into a child process with the same name. This malware was also found to be delivered as secondary payloads by other harmful programs like Vidar. The use of SystemBC escalated significantly with its association with the Black Basta ransomware group. Researchers from Rapid7 discovered a social engineering campaign distributing the SystemBC dropper to this notorious ransomware operation. Various payloads were named to align with their initial lure, which included SystemBC malware, Golang HTTP beacons, and Socks proxy beacons. Despite numerous efforts, the criminal activity behind targeted botnets continued, with malware researcher Rohit Bansal warning of an active server spreading the SystemBC malware. In response to the increasing threat, international law enforcement coordinated an operation codenamed "Operation Endgame" between May 27 and 29, 2024. The operation targeted malware droppers including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot. However, despite these efforts, the SystemBC RAT and other malware such as the Gozi (Ursnif) banking Trojan continued to pose significant threats. Affiliates have used Linux variants of Cobalt Strike and SystemBC to perform reconnaissance of VMware ESXi servers before deploying ransomware, demonstrating the ongoing risk posed by SystemBC.

Description last updated: 2024-08-15T12:15:38.033Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Droxidat	4	DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility c
Coroxy	2	Coroxy is a multifaceted malware, also known as SystemBC, DroxiDat, or Proxy, that serves as a backdoor and remote access tool (RAT), adapting to the requirements of attackers. It has been associated with the Play ransomware group, and its infection chain includes various tools such as PsExec, NetSc

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Trojan

Ransomware

Windows

Backdoor

Rat

Proxy

Cobalt Strike

Payload

Loader

Lateral Move...

Tool

Remcos

Phishing

Linux

Reconnaissance

Esxi

Maas

Bot

Beacon

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Smokeloader	Unspecified	3	Smokeloader is a malicious software (malware) that has been utilized by threat actors, specifically Phobos actors, to embed ransomware as a hidden payload. This malware, acting as a loader for other malware, infects systems through suspicious downloads, emails, or websites, often without the victim'
Hijackloader	Unspecified	2	HijackLoader is a rapidly growing malware in the cybercrime community, designed to exploit and damage computer systems. It operates as a modular multi-stage loader with a strong focus on evading detection, making it a potent threat to cybersecurity. The malware infects systems through suspicious dow
IcedID	Unspecified	2	IcedID is a malicious software (malware) that has been linked to various cybercrime operations. The malware can infiltrate systems via suspicious downloads, emails, or websites and proceed to steal personal information, disrupt operations, or hold data for ransom. IcedID has been associated with oth
Pikabot	Unspecified	2	PikaBot is a malicious software (malware) known for providing initial access to infected computers, enabling ransomware deployments, remote takeovers, and data theft. It's part of an array of malware families such as IcedID, Qakbot, Gozi, DarkGate, AsyncRAT, JinxLoader, among others, which have been
Black Basta	Unspecified	2	Black Basta is a notorious malware group known for its ransomware activities. The group has been active since at least early 2022, during which time it has accumulated an estimated $107 million in Bitcoin ransom payments. It leverages malicious software to infiltrate and exploit computer systems, of
Vidar	Unspecified	2	Vidar is a type of malware specifically designed to infiltrate and exploit Windows-based systems. It's written in C++ and is based on the Arkei stealer, which means it has the capability to steal personal information from infected devices. Vidar has been found impersonating legitimate software appli
Redline Stealer	Unspecified	2	RedLine Stealer is a malicious software (malware) that infiltrates computer systems and devices, often unbeknownst to users. The malware can infect systems through suspicious downloads, emails, or websites, causing significant damage by stealing personal information, disrupting operations, or even h
Amadey	Unspecified	2	Amadey is a sophisticated malware that has been identified as being used in various malicious campaigns. The malware is typically delivered through GuLoader, a loader known for its use in protecting payloads against antivirus detection. Analysis of the infection chains revealed encrypted Amadey payl

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Pistachio Tempest	Unspecified	2	Pistachio Tempest, also known as FIN12, is a threat actor that has been identified as a significant cybersecurity risk, particularly to the healthcare industry. According to a report by the U.S. Department of Health and Human Services (HHS) in 2022, this group has specifically targeted healthcare en
Rhysida	Unspecified	2	Rhysida, a threat actor active since May 2023, is responsible for a series of ransomware attacks, with a significant focus on the healthcare sector. It accounts for 8% of total cyberattacks, with 38% of its attacks targeting healthcare institutions. The group's modus operandi includes transferring R
Vice Society	Unspecified	2	Vice Society, a threat actor group known for its malicious activities, has been linked to a series of ransomware attacks targeting various sectors, most notably education and healthcare. Throughout 2022 and the first half of 2023, Vice Society, along with Royal Ransomware, were actively executing mu
FIN12	Unspecified	2	FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware

Source Document References

Information about the Systembc Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Trend Micro	18 days ago	How Trend Micro Managed Detection and Response Pressed Pause on a Play Ransomware Attack
Securityaffairs	21 days ago	Security Affairs newsletter Round 485 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	23 days ago	Black Basta ransomware gang linked to a malware campaign
Securityaffairs	3 months ago	Operation Endgame, the largest law enforcement operation ever against botnets
DARKReading	6 months ago	Hackers Posing as Law Firms Phish Global Orgs
CrowdStrike	6 months ago	The Anatomy of an ALPHA SPIDER Ransomware Attack
CERT-EU	6 months ago	Cyber Security Week in Review: March 1, 2024
CERT-EU	6 months ago	The Anatomy of an ALPHA SPIDER Ransomware Attack \| #ransomware \| #cybercrime \| National Cyber Security Consulting
Securityaffairs	6 months ago	IDAT Loader used to infect a Ukraine entity in Finland with Remcos RAT
CERT-EU	8 months ago	JinxLoader Malware: Next-Stage Payload Threats Revealed
CERT-EU	8 months ago	The Top 10 Ransomware Groups of 2023
CERT-EU	8 months ago	New JinxLoader Targeting Users with Formbook and XLoader Malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
Malwarebytes	9 months ago	Ransomware review: December 2023
CISA	9 months ago	#StopRansomware: Play Ransomware \| CISA
CERT-EU	9 months ago	Play Ransomware: SafeBreach Coverage for US-CERT Alert (AA23-352A)
Securelist	9 months ago	Kaspersky malware report for Q3 2023
CERT-EU	10 months ago	Same threats, different ransomware
CERT-EU	10 months ago	SystemBC, a SWISS KNIFE Proxy Malware, Used by Numerous Ransomware Groups
CERT-EU	10 months ago	Citrix Bleed Vulnerability: Background and Recommendations - ReliaQuest
CERT-EU	10 months ago	IBM X-Force Discovers Gootloader Malware Variant- GootBot