Brand-New SystemBC Proxy Malware Spotted Using SOCKS5 for Stealth

systembc proxy malware

The proxy is being distributed by the RIG and Fallout exploit kits.

A previously undocumented proxy malware, dubbed “SystemBC,” is upping the stealth game by using SOCKS5 to evade detection. It’s being distributed by the Fallout and RIG exploit kits (EKs), according to researchers.

Proofpoint researchers said on Thursday that in the most recently tracked example, the Fallout EK is used to download the Danabot banking trojan and the SystemBC SOCKS5 proxy, the latter of which is then used on a victim’s Windows system to evade firewall detection of C2 traffic.

“Proxy malware is somewhat unusual – many types of malware set up their own proxy or use TOR for communications with their C2; others simply transmit data in the clear or encrypt data without using a proxy for transmission,” Chris Dawson, threat intelligence lead at Proofpoint, told Threatpost. “So dedicated proxy malware being downloaded alongside other malware that can use it is noteworthy in and of itself, as is its apparent use by multiple actors via EK.”

SystemBC has so far been found mainly in Asia, where EKs remain important attack tools thanks to the fact that Windows piracy is common, leading to unpatched, buggy systems, researchers said. The use of Fallout is particularly interesting, according to Proofpoint, given that malvertising-based EK has historically been used to deliver instances of Maze ransomware.

SystemBC is written in C++ and primarily sets up SOCKS5 proxies on victim computers that can then be used by threat actors to tunnel/hide the malicious traffic associated with other malware, according to Proofpoint.

Important strings such as the C2 servers, DNS servers and port number are encrypted with a 40-byte XOR key that is stored in memory – after establishing an initial connection to the C2, the malware creates an initial SOCKS5 proxy connection, and then a second proxy, which is assigned a special index number by the C2 server, so the C2 can associate traffic with a particular proxy.

This sample goes on to create yet another proxy, with a different domain name and an incrementing index assignment.

“With the proxies initialized, the client now begins to retrieve data requested from the C2 via HTTPS,” the researchers wrote in a Thursday writeup.

“The use of SOCKS5 is not a major differentiator; it’s just another potential technology malware authors can use for this purpose and the primary proxy protocol,” Dawson said.

Interestingly, SystemBC may also have connections to the malware dropper known as Brushaloader, researchers said. Brushaloader is being used by the financially motivated threat actor TA544, among others.

The connection is in a first-stage script called PowerEnum, which in the Fallout EK campaign for SystemBC was observed instructing the download of Danabot Affid 4 and the proxy malware.

“PowerEnum is a PowerShell script that is integral with and used by Brushaloader; PowerEnum performs extensive fingerprinting on infected devices and sends the data back to the C2 and shares overall C2 infrastructure with Brushaloader,” Dawson told Threatpost. “We also observed PowerEnum being dropped by Fallout EK in the same campaigns that delivered SystemBC and the instance of Danabot described in [the campaign]. So the precise relationship isn’t clear, but there does appear to be a connection via PowerEnum, although multiple actors may be purchasing and distributing the malware.”

Proofpoint’s telemetry picked up campaigns in June and July, but other researchers, including Vitali Kremez in May and @nao_sec in July, have also spotted the malware in the wild.

A related sample of this malware also may have been identified by other infosec researchers on Twitter as early as mid-October of 2018, where it was using AZORult as the initial payload.

“Since this proxy malware was being used in multiple separate campaigns, [we] believe it was very likely that it was being sold in an underground marketplace,” according to the firm’s analysis, released on Thursday. “Moreover, an advertisement from April 2 was found on an underground forum that described a malware named ‘socks5 backconnect system’ that matched the functionality of the malware seen in the [mentioned] campaigns.”

The malware’s name, SystemBC, is based on the URI path shown in the advertisement’s C2 panel screenshots, according to the firm. The panel acts as a dashboard, with a list of victim computers, automated updating and built-in authentication.

To protect themselves against the threat, organizations should keep their Windows client and server operating systems as well as infrastructure devices patched, retire susceptible browser plugins such as Adobe Flash Player, and replace legacy, end-of-life Windows systems like Windows XP, which may be susceptible to exploit kits such as Fallout and RIG.

Interested in more on patch management? Don’t miss our free Threatpost webinar, “Streamlining Patch Management,” now available on-demand. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Click here to listen (registration required).


Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.