Researchers at Sophos Labs have been tracking a new ransomware tool available on underground hacking forums which has evolved into a Tor proxy and remote control tool that is now being used in the wild.
The tool is called SystemBC and it serves as a backdoor that provides attackers with a persistent connection to their victims’ systems.
First observed last year, it acts as both a network proxy for concealed communications and as a remote administration tool (RAT) capable of executing Windows commands as well as delivering and executing scripts, malicious executable and dynamic link libraries (DLL).
SystemBC has evolved over the past year from acting as virtual private network (VPN) through a SOCKS5 proxy to using the Tor network to encrypt and conceal the destination of command and control traffic.
During the course of its recent investigations, Sophos MTR’s Rapid Response team has seen SystemBC used in recent Ryuk and Egregor ransomware attacks, though it is often used alongside other post-exploitation tools such as Cobalt Strike. However, in some cases, the SystemBC RAT was deployed to servers after attackers had gained access to administrative credentials and moved deeper into a targeted network.
When deployed, the tool will copy and schedule itself as a service but this step will be skipped if Emsisoft antivirus software is detected on a victim’s system. SystemBC then establishes a connection to a command and control server using a beacon connection to a remote server based at one of two hard-coded domains.
In a new blog post, senior threat researcher Sean Gallagher and threat researcher Sivagnanam Gn at Sophos provided further insight on how SystemBC now connects to the Tor network, saying:
“The Tor communications element of SystemBC appears to be based on mini-tor, an open-source library for lightweight connectivity to the Tor anonymized network. The code of mini-Tor isn’t duplicated in SystemBC (since mini-Tor is written in C++ and SystemBC is compiled from C). But the bot’s implementation of the Tor client closely resembles the implementation used in the open-source program, including its extensive use of the Windows Crypto Next Gen (CNG) API’s Base Crypto (BCrypt) functions.”
As SystemBC is often deployed as an off-the-shelf tool, its is likely that ransomware attackers are acquiring it from malware-as-a-service operations in underground forums. The tool has become increasingly popular among cybercriminals due to the fact that it allows for multiple targets to be worked at the same time.