SystemBC RAT Used as Tor Backdoor
NJCCIC Alert
Original Release Date: 12/17/2020
Summary
In recent Ryuk and Egregor ransomware attacks, Sophos researchers discovered that SystemBC, a commodity malware sold on underground marketplaces, is being used in ransomware-as-a-service (RaaS) operations as a persistent Tor backdoor to encrypt and hide command and control communications. SystemBC is first dropped through malicious spam or phishing emails by other malware, including Buer Loader, Qbot, Bazar Loader, or ZLoader. It then acts as a remote administration tool (RAT) to hide nefarious activity and automate ransomware payload staging and delivery, exploitation, lateral movement, and data exfiltration on compromised networks.
Recommendations
The NJCCIC recommends users exercise caution with links and attachments received from unknown contacts, confirm the email’s legitimacy via a separate means of communication, enable multi-factor authentication where available, and keep systems up to date. We advise a defense-in-depth cybersecurity strategy, security awareness training, and human-based threat hunting to help detect and block these attacks. Further technical details and IOCs can be found in the Sophos article.
The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.
View our Privacy Policy here.
View our Site Index here.