SystemBC Being Used by Various Attackers

SystemBC is a proxy malware that has been used by various attackers for the last few years. While it is recently distributed through SmokeLoader or Emotet, this malware has steadily been used in various ransomware attacks in the past. When an attacker attempts to access a certain address with malicious intent, the system can be used as a passage if the infected system utilizes SystemBC, which acts as a Proxy Bot. Because it can also act as a downloader to install additional malware externally, attackers can also use it to install additional payloads.


Previous Distribution Cases

SystemBC’s distribution using RIG exploit kit and Fallout exploit kit was first discovered in 2019. [1] The initial version found in 2019 focused mainly on Socks5 Proxy features and had a small size. According to ProofPoint which first discovered SystemBC, the developer of the malware had a history of selling it under the name “socks5 backconnect system.”

SystemBC discovered in 2020 was used with Ryuk or Egregor in ransomware attacks. It was also the malware used by the DarkSide ransomware group, which used it to attack Colonial Pipeline, a U.S. pipeline company. [2] Unlike ransomware distributed through exploit kits, web browsers, or spam emails, attackers using this type of malware install ransomware after dominating the company environment system, then demand money. In other words, they dominate the internal network using tools such as Cobalt Strike after the initial infiltration and infect various systems within a company by installing ransomware.

The role of SystemBC in such an attack is not known in detail. Yet as it can act as a proxy and install additional payloads after downloading them, it might download and execute malicious payloads or be installed in internal networks to perform the role of a proxy. In fact, according to a report made by F-Secure [3] that found an attack using SystemBC, the malware was used for downloading and running PsExec and scripts for lateral movement attacks.



Recent Distribution Cases

In March 2022, it was found that SystemBC was being installed as an additional payload by Emotet. Emotet is a banking malware that installs additional modules or malware strains to steal credentials from the infected system. Normally, the attackers install Cobalt Strike through Emotet to dominate the infected system, but recently, SystemBC is also being distributed.

According to AhnLab’s ASD infrastructure, most of the recent cases involving SystemBC have the malware installed by SmokeLoader. SmokeLoader operates by being injected into explorer.exe (Windows Explorer that is currently being run) and can install additional modules or malware. The figure below shows the log of the injected Explorer process installing SystemBC.

Figure 1. SystemBC installed by SmokeLoader

SmokeLoader is recently installed through Muldrop, an NSIS dropper malware distributed through malicious websites disguised as cracks and serial download pages of commercial software. Besides Muldrop, CryptBot and PseudoManuscrypt are also distributed in such a method.



Analysis of SystemBC

SystemBC has a number of variants. The exact order is not confirmed, but the variants are categorized based on their additional features. Unlike Type 1 which is an early version and can only update itself, Type 2 can run scripts such as Batch, VBS, and PowerShell after downloading them. It can also download malware in DLL and Shellcode forms to execute them in the memory. In addition, the malware can communicate with the C&C server through the Tor network. [4] Type 3, the second variant, lacks certain features including being able to use the Tor network and execute DLL and Shellcode after downloading them.

This post will discuss the analysis of SystemBC type that can currently communicate with the C&C server. To be more precise, it is an analysis of Type 2, which has most of the features of Type 1 and Type 3. The malware was found to be installed through RedLine, packed with the packer that was used for the type distributed through SmokeLoader. SystemBC known to be installed through Emotet is Type 3.


Initial Routine

When SystemBC is initially run, it first checks if the argument is “start”. It will not have an argument when it is executed for the first time. In this case, it checks the windows of the currently running processes. If there is a process with “Microsoft” as the window name and “win32app” as the class name, it will send the message “WM_COPYDATA” and goes dormant for a certain amount of time. Afterward, it deletes the file for the process.

Figure 2. Process handling function that has a certain window

SystemBC first registered a window class and created a window. The name of the window and class is “Microsoft” and “win32app” respectively. As shown in the figure below, the following windows and classes can be seen when SystemBC is executed.

Figure 3. Windows and classes of SystemBC being run

The message handling function registered at this moment deletes and terminates a process registered as “certain random string” when it receives the message “WM_COPYDATA”. In summary, SystemBC checks for the SystemBC process that has been running when it is executed for the first time. If there is one, it sends a message to terminate the old SystemBC. The previous SystemBC that received the message deletes the task it is registered to and terminates itself, and SystemBC that was executed later deletes the binary of the previous one.

It then scans the process named “a2guard.exe” which is assumed to be a product of Emisoft. If the process is running, it terminates itself and will no longer perform malicious behaviors. Lastly, it copies the binary of the currently running SystemBC as a random name in %ALLUSERSPROFILE% (in the random folder of the ProgramData path) and registers it as a task named “certain random string” again. The process uses COM objects, TaskScheduler class, and methods of the Task class.

Figure 4. Process for registering the task using COM objects

The task starts 2 minutes after the current time and is run every 2 minutes. The target that is executed is SystemBC, and designates “start” as an argument. SystemBC can download payloads in exe form from the C&C server and run them. If the downloaded executable is SystemBC with the latest version, the process then becomes a binary update for SystemBC.


C&C Communications

SystemBC executed with the “start” argument attempts to communicate with the C&C server. It has the URL of the C&C server in the data section in XOR-encrypted form. The malware decrypts the C&C server address and port number before communicating with the C&C server. If it cannot access the first URL, it will attempt to communicate with the second one. Since the current analysis target does not have its settings data encrypted, one can check it in its plain form. If the “xordata” string exists below the settings data, the XOR encoding will not be processed. The 0x32 byte-sized data that has the string is the value for the RC4 key. If a normal RC4 key value exists, the XOR encoding will be processed.

Figure 5. Settings data of SystemBC
- C&C Server URL 1 : 31.44.185[.]6:4001
- C&C Server URL 2 : 31.44.185[.]11:4001

As shown below, SystemBC first collects the basic information of the infected system. When the currently running SystemBC process is executed as an admin privilege (High Integrity Level or higher), Offset 0x34 among the following items is set as 0x2. If not, it is set as 0.

OffsetSizeData
+0x000x32RC4 key
+0x320x02Windows ver.
+0x340x01Admin privilege status (0x02)
+0x350x01WOW64 availability
+0x360x2AUser name
+0x600x04Volume serial number
Table 1. Data to be sent to C&C server

The data shown below has a size of 0x64 byte. It first uses the 0x32 byte-sized RC4 key to RC4-encrypt the 0x32 byte in the back. The C&C server that received the data can decrypt the 0x32 byte-sized information of the infected system with the RC4 key of the first 0x32 byte.

Figure 6. RC4 key and information collected from the infected system
- RC4 Key: 78 6F 72 64 61 74 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Figure 7. Communication packet with the C&C server

The encrypted data is then sent to the C&C server. SystemBC uses the Raw TCP socket to communicate with the C&C server. When the server receives information from the malware, it uses the same RC4 key to send the encrypted command data. The following is encrypted data sent from the C&C server.

Figure 8. Data received from the C&C server

SystemBC decrypts the first 4 bytes, which can be considered as a header of the C&C command. The header can be divided into 3 main parts: command, secondary command, and data size. The 4 byte that comes after means tokens, and the rest includes command data.

OffsetSizeData
+0x000x01Command
+0x010x01Secondary Command
+0x020x02Data Size
+0x040x04Token
+0x08VariableCommand Data
Table 2. Downloaded packet structure

The command currently received is 0xFFFF2B00. This means the malware received the data with the size of 0x002B. Decrypting the 0x002B-sized data following behind will reveal the token and URL. Since the command is 0xFFFF, the malware will run the files after downloading them from the URL.

CommandSecondary CommandSizeFeature
0xFF0xFFVariableDownload payload
0xFF0xFE0x00Terminate
0x00VariableCreate a new Proxy for the target
Index[0x00 – 0xFF]VariableSends the data received from the C&C server to the designated target in Index
Index[0x00 – 0xFF]0x00Terminate Proxy with the designated target
Table 3. Types of C&C commands

Note that the exe malware downloaded currently is also SystemBC; this indicates that the command is for updating the binary.

- Download URL: hxxp://michaelstefensson[.]com/supd/s.exe
Figure 9. URL for downloading additional payloads

SystemBC uses Raw TCP socket again for HTTP communications. The following is a User-Agent string used for downloading binaries from the URL that was sent.

GET %s HTTP/1.0
Host: %s
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Connection: close

After the download is complete, the malware sends the result encrypted with RC4 to the C&C server. The data that will be sent include 0xFF (secondary command used for downloading payloads), 0x04 (data size that will be sent), and 0x07 (including the token value 0x04 byte that was sent earlier).

Figure 10. Sending response to the C&C server
OffsetSizeData
+0x000x01Secondary Command
+0x010x02Data Size
+0x030x04Token
Table 4. Structure of the packet sent to the C&C server

The download URLs that were sent are categorized depending on the file extension and format.

TypeExtensionFormatFeature
exeexeSelf-update for SystemBC
VBS script.vbsRun VBS script
Batch script.batRun Batch script
Batch script.cmdRun Batch script
Powershell Script.ps1Run Powershell script
DLLDLLLoad DLL in the memory
Run the function of DLL if the URL has # at the back
ShellcodeEncoded formRun Shellcode in the memory
Table 5. Payload that can be downloaded
Figure 11. Categorization based on extensions and formats

The malware creates normal files in the Temp path and registers the files in the task scheduler to run them. For Powershell scripts, it additionally uses command lines such as “-WindowStyle Hidden -ep bypass -file”.

If the downloaded payload is DLL, it assigns memory and loads it to run as a new thread. If the “#” string is behind the URL sent from the C&C server, it calls the export function from the downloaded DLL. For Shellcode, the malware also runs it as a new thread going through the decoding routine. As a result, DLL and Shellcode are not created as files but run in the memory of SystemBC.


TOR Communications

Because the current analysis target does not have a Tor URL, the team will discuss a previous case where Tor network communication was possible. The malware in this case has the C&C server URLs encoded as shown below. If it cannot access both servers, it uses Tor to access another server.

- C&C Server URL 1: admex175x[.]xyz:4044
- C&C Server URL 2: servx278x[.]xyz:4044

To do so, it accesses the following URLs to obtain a public IP address. The address is then encoded with the data that will be sent to the C&C server and sent.

https://api.ipify.org/
https://ip4.seeip.org/

SystemBC is known to utilize the mini-tor[5] library to use the Tor network.[6] It first goes through the reset process to access Tor. By randomly selecting one of the IP addresses of the hard-coded Authoritative Directory Server, it gets the Consensus data for the Tor network. Then it will start Tor communications based on the settings data it received.

Figure 12. Obtaining Tor Consensus data
193.23.244[.]244:80
86.59.21[.]38:80
199.58.81[.]140:80
204.13.164[.]118:80
194.109.206[.]212:80
131.188.40[.]189:80
154.35.175[.]225:80
171.25.193[.]9:443
128.31.0[.]34:9131
128.31.0[.]39:9131

The malware then obtains the Tor C&C URL. As seen below, Tor C&C URL needs an additional decryption process, unlike normal C&C URLs that can be checked in text after Xor decryption. The part that comes after the “TOR:” string is the Tor C&C URL that is decrypted for the first time. The actual URL will be revealed through the additional decryption process.

Figure 13. Xor-encoded settings data
Figure 14. C&C URL that is ultimately decrypted
- C&C URL (Tor): dfhg72lymw7s3d7b[.]onion:4044

After normally accessing the Tor network, the malware will send the information of the infected system including the public IP address that was mentioned earlier. This method is identical to other methods of using Raw TCP socket communications, except that it sends data by using the Tor network. So the malware will send the data encrypted with RC4 algorithm and receive C&C commands encrypted with the same key as in previous cases. The case is also the same for the HTTP communications used for downloading additional payloads.

Figure 15. C&C command received through Tor
- Download URL: http://5.61.33[.]200/henos.exe

SOCKS5 PROXY

Besides downloader, the main features of SystemBC include being able to operate as Proxy Bot. The figure below shows the commands related to proxies that were mentioned above. Each line creates a socket for the proxy and processes certain proxy packets.

Figure 16. Socks5 proxy routine

If the attacker wants to use an infected system as Proxy Bot (using SystemBC of the infected system when accessing a certain address), a command to create proxies will be sent first. SystemBC creates a socket depending on the type when it receives a command to create proxies. The created socket will be managed by index.

After the socket is created, the malware will create a new thread and connect to the address it received. The reason the attacker initially named the malware BackConnect is because SystemBC first connects to the attacker’s server instead of the attacker manually accessing SystemBC to attempt Socks5 proxy connection. Since SystemBC cannot be accessed externally if it is installed in the system of a private IP band, malware strains with the Proxy feature mainly use the Reverse Proxy method.

Should the attacker send requests to a certain address later, they will send the created proxy socket with the assigned index. SystemBC will then send the data it received to the address. The data received will be sent to the C&C server through SystemBC. SystemBC thus acts as Proxy Bot, allowing the attacker to hide the IP when performing attacks. If the malware operates in the system that can access internal networks, the networks can be accessed by the external attacker through SystemBC.


Comparison with Previous Versions

The post discussed Type 2 which supports most of the features, but each type has minor variations in the features it supports.

Type 1Type 2Type 3
Recursive Execution Argument“Start2”“start”“start”
Scan Emisoft productOOX
Installation Path%ALLUSERSPROFILE%\[Random]%ALLUSERSPROFILE%\[Random]Current Path
Downloader featureX (has only update feature)Batch, VBS, PowerShell, DLL, Shellcode, and updateBatch, VBS, PowerShell, and update
Support URL shortener .bitOXX
Table 6. Differences in each Type

Type 1 supports the URL shortener “.bit”. The following settings data of the malware has the list of DNS servers besides C&C URL and port number.

Figure 17. List of DNS servers in settings data
- C&C Server URL 1: db1.pushsecs[.]info:40690
- C&C Server URL 2: db2.pushsecs[.]info:40690
- DNS Server URL 1: 5.132.191[.]104
- DNS Server URL 2: ns1.vic.au.dns.opennic[.]glue
- DNS Server URL 3: ns2.vic.au.dns.opennic[.]glue

If the C&C server URL ends it “.bit”, the malware obtains the IP address of the server by using the DNS servers listed above.

Figure 18. DNS query routine for .bit URL



Conclusion

Ever since SystemBC was distributed through exploit kits in the past, the malware has been installed through other malware strains from malicious websites disguised as download pages for cracks and serials of commercial software until recently. While it was used for attacks targeting normal users, it was also employed by attackers in multiple ransomware attacks targeting companies to achieve their goals.

After it is installed, SystemBC stays in the infected system to download additional payloads. Moreover, it can also act as Proxy Bot, meaning that the system can become a passageway for other attackers. Users should apply the latest patch for OS and programs such as Internet browsers, and update V3 to the latest version to prevent malware infection in advance.

AhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.

[File Detection]
– Trojan/Win.MalPE.R480644 (2022.03.29.02)
– Trojan/Win.Generic.C5006057 (2022.03.11.03)
– Malware/Win32.RL_Generic.R358611 (2020.12.18.01)
– Trojan/Win32.Agent.C3511593 (2019.10.14.08)

[IOC]
Type 1 MD5

– beb92b763b426ad60e8fdf87ec156d50

Type 2 MD5
– 8e3a80163ebba090c69ecdeec8860c8b
– 28c2680f129eac906328f1af39995787

Type 3 MD5
– ae3f6af06a02781e995650761b3a82c6

Type 1 C&C
– db1.pushsecs[.]info:40690
– db2.pushsecs[.]info:40690

Type 2 C&C
– 31.44.185[.]6:4001
– 31.44.185[.]11:4001
– admex175x[.]xyz:4044
– servx278x[.]xyz:4044
– dfhg72lymw7s3d7b[.]onion:4044

Type 3 C&C
– 96.30.196[.]207:4177
– 45.32.132[.]182:4177

Download URLs
– hxxp://michaelstefensson[.]com/supd/s.exe
– hxxp://5.61.33[.]200/henos.exe

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments