Posted on December 17, 2020 at 5:09 PM
Cybersecurity firm Sophos reported yesterday that it has discovered a new ransomware gang that uses SystemBC RAT as an off-the-shelf Tor backdoor.
The research reveals how SystemBC has become a complete remote access tool that is utilized as a Tor proxy and deployed in ransomware-as-a-service attack for data exfiltration, communications, and the execution of malicious modules.
Last year when SystemBC was first discovered, it operated like a “virtual private network” through SOCKS5 proxy.
One year after, it has now been upgraded to provide a persistent backdoor for automating several activities, allowing operators to launch multiple attacks.
Hackers are continually looking for new methods and tactics to launch successful attacks while avoiding detection. But this capability can allow the threat actors to use backdoors to plant ransomware, Sophos security team warns.
Hackers are taking advantage of the upgraded SystemBC
Threat actors can launch these attacks by taking advantage of the upgraded SystemBC even without the need for hands-on-keyboard activities.
It can execute Windows commands generated over Tor connection while delivering and executing dynamic link libraries (DLL), malicious executables, and other scripts.
The Sophos security team began its investigations after some ransomware-as-a-service attacks involving Egregor and Ryuk, which both used SystemBC for the attack. After the investigation and research, the security firm discovered that SystemBC can be combined with different commodity tools, generating a wide profile of procedures, techniques, and tactics to launch ransomware attacks.
For example, some of the investigated Ryuk attacks show that SystemBC was deployed with Buer Loader malware, both other similar attacks utilized Zloader or Bazar. On the other hand, the Egregor attacks Sophos investigated used SystemBC alongside Qbot.
Outsourcing ransomware deployment to affiliates
According to a senior security researcher at Sophos Sean Galagher, ransomware gangs have increasingly outsourced the deployment of ransomware to affiliates with the use of attack tools and commodity malware.
“SystemBC is a regular part of recent ransomware attackers’ toolkits,” he pointed out, adding that Sophos has discovered hundreds of attempted SystemBC deployments all over the world for the past few months.
Also, the ransomware actors can use the backdoor with other malware and scripts to search and discover potential targets using automation across different targets.
These SystemBC backdoors were initially designed for commodity malware. However, they have been upgraded to toolkits for targeted attacks such as ransomware attacks.
As a result of the increased use of different tools in ransomware-as-a-service, there is now a widespread attack profile that makes it more difficult for IT security teams to detect and stop them.
Sophos has provided additional information about SystemBC and possible cyberattacks on its SophosLabs Uncut, the publishing destination of all researches by the security team.
“SystemBC is a regular part of recent ransomware attackers’ toolkits,” Gallagher reiterated.
SystemBC is a proxy malware that makes use of SOCKS5 internet protocol to disrupt traffic to command-and-control (C2) servers before downloading the DanaBot banking Trojan.
Since SystemBC’s development, it has since expanded its capabilities with additional features that enable it to utilize Tor connection, encrypting and concealing the destination C2 communications.
This could ultimately allow attackers to gave persistent backdoor to lunch more attacks in the future. The researchers also revealed that SystemBC is likely one of the commodity tools deployed due to the previous compromise through phishing emails. These phishing emails deliver malware loaders such as Qbot, Zloader, and Buer Loader.
This has led researchers to believe that the attacks were executed by affiliates of the ransomware operators. They could also be the handwork of the ransomware groups that are using multiple malware-as-a-service providers.
Sophos said the backdoor provides threat actors with a point-and-shoot capability as they don’t need to use any technical strategy before gaining access.
The increase in commodity malware also shows a new trend in which ransomware is being delivered, just like the case of MountLocker, when operators use double-double extortion capabilities to distribute ransomware with little effort.