Just as fast as technology can improve lives, technology can also breed threat actors exploiting new developments. That fact is only proven by the discovery of a “previously undocumented malware” that does not only creep into the victim’s computer but also serves as a hiding spot for other malware to thrive in the vulnerable device.
This malware, dubbed as SystemBC by researchers from Proofpoint — the cybersecurity firm who discovered the malware — builds a proxy that other malware can use to disguise their activities in the computer and prevent the device’s security mechanisms in flagging unusual events in its system.
SystemBC is described by the researchers as “Christmas and July” as it uses SOCKS5 proxies to bypass security measures and to create a safe, unbothered, and secured command and control tunnel for other malware to benefit from. The researchers who disclosed the discovery of the new malware highlights some “well-known banking Trojans such as Danabot” as the beneficiaries of the malware.
SystemBC is an enabler, not an attacker
In layman’s term, SystemBC is a malware that is not designed to attack the victim’s computer; instead, it is designed to protect and shield other malware while they do their dirty tricks. SystemBC is more of an enabler rather than an active attacker.
The researchers from Proofpoint reports that SystemBC is being distributed through exploit kits which were simultaneously creeping into victims’ computers along with dangerous malware, which it will then enable, protecting and cloaking traffic back and forth. Exploit kit is a type of malware campaign that uses compromised websites that identify vulnerabilities and plant malware as users browse the web. The researchers have identified two exploit kits where they have noticed the new SystemBC malware codes: RIG and Fallout exploit kits.
“While analyzing a Fallout EK campaign on June 4, 2019, Proofpoint researchers observed the distribution of a previously unseen proxy malware. Most recently, the malvertising-based Fallout exploits kit chain has been used to deliver instances of Maze ransomware,” the researchers wrote in their report.
Two days after their discovery of the SystemBC malware in the Fallout exploit kit, the cybersecurity experts discovered on June 6 that the new malware is distributed “via a Fallout EK and PowerEnum campaign alongside an instance of the Danabot banking Trojan.”
Another instance cited by the researchers was between July 18 and 22 when they discovered the same malware being distributed via RIG exploit kits, which in itself is distributed by Amadey Loader.
The researchers believe that their research is not the first time that the malware has been spotted in the wild. They cited that in October 2018, an infosec researcher named NaoSec (@nao_sec) posted in their Twitter account a similar malware that they discovered, distributing AZORult instead of Danabot. The Proofpoint experts also hypothesize that SystemBC could be related to Brushaloader and related malware attacks.
Sold in the underground marketplace
Because the malware is being distributed in a very fragmented network in different instances, the researchers believe that the new malware, SystemBC, is being clandestinely sold in the black market. One evidence found by the Proofpoint researchers is an advertisement they saw in an underground forum that offers a “socks5 backconnect system,” which according to them matches the functionality of the SystemBC malware they have flagged earlier this July.
Furthermore, the advertisements, which was in the Russian language, also offer a command-and-control panel for the SystemBC malware which makes it easier for the buyers (potential attacker) to manage and control the malware and its movement throughout the web.
“The advertisement also contains screenshots of the C&C panel. The simple C&C panel boasts a list of victim computers, automated updating, and built-in authentication. The builder allows users to create a set number of samples with custom configurations,” the researchers reported.
The researchers warn that the newfound relationship between SystemBC malware and other dangerous malware in the wild creates “new challenges” for cybersecurity threat defenders who police the cyberspace.
“The synergy between SystemBC as a malicious proxy and mainstream malware creates new challenges for defenders relying on network edge detections to intercept and mitigate threats like banking Trojans,” they said.
In the end, the researchers have encouraged everyone to be vigilant, keeping their Windows client and server operating systems as well as infrastructure devices patched with vendor-recommended updates and patches. They also suggest that organizations should move to retire “the use of legacy systems which use susceptible browser plugins such as Adobe Flash Player” and other Windows systems where exploit kits like Fallout thrive.