Cybersecurity researchers reveal command and control (C2) server for a known malware family System BC.
“SystemBC can be purchased on the underground market and is provided in the form of an archive containing an implant, a command and control (C2) server, and a network management portal written in PHP,” Kroll said in an analysis published last week.
The risk and financial advisory solutions provider said the second and third quarters of 2023 saw an increase in the use of malware.
First observed in the wild in 2018, SystemBC allows threat actors to remotely control infected hosts and deliver additional payloads, including Trojans, Cobalt Strike, and ransomware. It also supports dynamic activation of auxiliary modules to extend its core functionality.
A striking aspect of the malware is its use of a SOCKS5 proxy to block network traffic to and from the C2 infrastructure, acting as a persistent access mechanism for later exploitation.
Customers who ultimately purchase SystemBC will receive an installation package that includes the implanted executable, Windows and Linux binaries for the C2 server, PHP files for rendering the C2 panel interface, and detailed steps and commands in English and Russian Explain running.
The C2 server executable – “server.exe” for Windows and “server.out” for Linux – is designed to open no fewer than three TCP ports to facilitate inter-process communication between C2 traffic, itself and the client. Communications(IPC). A PHP-based panel interface (usually port 4000), one for each active implant (also called a robot).
The server component also utilizes three other files to log information about the implant’s interactions as an agent and loader, as well as details about the victim.
PHP-based panels, on the other hand, are minimalistic in nature and display a list of active implants at any given point in time. Additionally, it acts as a conduit to run shellcode and arbitrary files on the victim machine.
https://www.youtube.com/watch?v=KOOC1ypTs9Y
Kroll researchers said: “The shellcode functionality is not limited to reverse shell, but also has full remote capabilities that can inject implants at runtime, but it is not as obvious as reverse shell generating cmd.exe.”
同時,該公司也分享了對DarkGate(版本5.2.3)更新版本的分析,這是一種遠端存取木馬(RAT),使攻擊者能夠完全破壞受害者係統、竊取敏感資料並分發更多惡意software.
“The version of DarkGate analyzed scrambles the Base64 alphabet used when the program is initialized,” said security researcher Sean Straw. “DarkGate swaps the last character with a random character before it, moving from back to front in the alphabet. “
Kroll says it discovered a weakness in this custom Base64 alphabet that makes it trivial to decode disk configuration and keylogging output, which are encoded using the alphabet and stored in an exfiltrated folder on the system.
“This analysis enables forensic analysts to decode configuration and keylog files without first determining the hardware ID,” Straw said. “The keylogger output archive contains keystrokes stolen by DarkGate, which may include entered passwords. , emails and other sensitive information.”
1 Comment
Pingback: SystemBC malware’s C2 server analysis reveals payload delivery techniques – Paxton Willson