Ryuk, Egregor Ransomware Attacks Leverage SystemBC Backdoor
#1
Information 
Quote:Commodity malware backdoor SystemBC has evolved to now automate a number of key activities, as well as use the anonymizing Tor platform. These overarching changes make it both easier for cybercriminals to deploy the backdoor, as well as cloak the destination of the command-and-control (C2) traffic.
 
SystemBC, a proxy and remote administrative tool, was first discovered in 2019. Researchers believe it is being used by ransomware-as-a-service affiliates due to it being associated with multiple types of ransomware that are deployed in the same way. Once it’s executed, the backdoor is used by ransomware actors to set up a persistent connection on victim systems.
 
“While SystemBC has been around for over a year, we’ve seen both its use and its features continue to evolve,” said Sivagnanam Gn and Sean Gallagher, researchers with Sophos, in a Wednesday analysis. “The most recent samples of SystemBC carry code that, instead of acting essentially as a virtual private network via a SOCKS5 proxy, uses the Tor anonymizing network to encrypt and conceal the destination of command and control traffic.”

Researchers warn that over the past few months they have detected hundreds of attempted SystemBC deployments globally. The backdoor has been utilized in recent Ryuk and Egregor ransomware attacks, and has also often been leveraged in combination with post-exploitation tools such as Cobalt Strike, they said.
 
Initially, ransomware groups that leverage SystemBC have been observed first infecting systems using spam or phishing emails. These emails then trick the victim into downloading the Buer loaderQBotZLoader or other types of malware, which are used for initial exploitation and lateral movement.
 
From there, attackers then use SystemBC (along with Cobalt Strike, in some cases) in order to scoop up passwords from victim systems – although in some cases, the SystemBC backdoor was only deployed to servers after attackers gained administrative credentials, and then used it to move deeper into the targeted network, researchers said.
 
SystemBC is used primarily to gain further persistence on the victim system. In what’s now a more automated process, the backdoor can deploy PowerShells; .CMD scripts (A CMD script file features one or more commands in plain text format that are executed in order to perform various tasks); Windows commands; malicious executables and dynamic link libraries (DLLs).
 
Researchers said, these key activities have been automated now so that operators can launch multiple attacks without the need for hands-on-keyboard activity. They are used for further exploitation and the deployment of the final ransomware (which in recent cases have been Ryuk or Egregor).

Read more: https://threatpost.com/ryuk-egregor-rans...or/162333/
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
QOwnNotes 19.1.6
24.12.4 The wel...Kool — 12:56
INTEL Arc Graphics 32.0.101.6325/6253 dr...
Highlights Fix...harlan4096 — 11:06
GFYI [Official] Revo Uninstaller Pro v5...
"Share feedback...damien76 — 09:01
GFYI [Official] SpyShelter PRO v15 Chri...
Merry Christmas and ...damien76 — 08:56
GFYI [Official] IObit Christmas 2024 Bl...
Merry Christmas and ...damien76 — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
harlan4096's profile harlan4096
Administrator

>