Ransomware Operators Using SystemBC Backdoor with Tor proxy & RAT Futures to Attack New Targets

SystemBC is a commodity malware sold on undercover marketplaces; ransomware-as-a-service (RaaS) operations are practicing this malware to disguise all kind of malicious traffic and automate ransomware payload that is delivered on the networks of negotiated victims.

Nowadays, cybercriminals are increasingly outsourcing the duty of extending ransomware to associates using product malware and different attack tools.


Researcher uncovered the new wave of SystemBC backdoor that has upgraded Tor Proxy and RAT features to expand it target and perform the sophisticated and high profile attacks.

SystemBC used by both Ryuk and Egregor

The security researchers at Sophos have investigated this whole matter, and they have collected several pieces of information regarding the malware. While investigating Ryuk and Egregor, the experts realized that in the ransomware attacks, the attackers had used SystemBC in all their attacks throughout the last months.

However, Ryuk is disposing SystemBC on the domain controller concurrently by multiple malware exertions, including Buer Loader, BazarLoader, and Zloader. On the other hand, the Egregor operators favored using the Qbot data stealer.

Moreover, the attacks that are tracked by Sophos used several multiple malware-as-a-service providers as a launching pad to remit the initial malicious payload.

BC phone home

If we talk about BC phone home, then it has mainly two elements of the CnC, one is a beacon connection to a remote server at one of two domains that are hard-coded into the malware, and another one is a lightweight Tor client.

However, the malware chooses one of the hardcoded domains and then conveys an initial block of data; once the domains are conveyed, then it keeps an open socket, along with the connection that is occasionally being reset.

In this system, the bot is administered from a scheduled task, and it accumulates the following data and keeps it in a buffer, and later sends it to CnC through the Tor connection. And here are the data it sends:-

  • The current Windows user name
  • The Windows establish a number for the infected system
  • A WOW process check
  • The volume serial number

Payload Deployment

The threat actors use this determined backdoor as a remote administration tool (RAT) along with the Cobalt Strike post-exploitation tool, especially in the lateral movement stage of the attacks.

The threat actors also utilize the tools to execute commands on the affected Windows devices that have been sent over a Tor connection. Not only this, but it also used for delivering malicious scripts, dynamic link libraries (DLLs), and scripts that get automatically administered without asking the operators’ manual intervention.

The automatic capabilities enable the ransomware operators to control attacks that are targeting multiple victims at a time, and it generally allows for the hands-off deployment of ransomware utilizing the Windows built-in tools.

The experts affirmed that using various tools in ransomware-as-a-service attacks constitutes a different attack profile that is more difficult for IT security teams to divide and deal with it.

Luckily, SystemBC is caught by many anti-malware tools; however, the threat actors continue to use SystemBC situationally with success because they leverage erratic malware security across organizations or leverage legitimate credentials to impair malware protection.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.