Analytics Story: SystemBC

Date: 2025-02-28 ID: ddc2801b-a881-4458-8f9d-c20e95daebea Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches for Dropped Files anomalies, and registry modification to detect SystemBC malware. This threat acts as a backdoor proxy that enables attackers to maintain persistence, evade detection, and facilitate ransomware operations. It often uses SOCKS5 proxies to disguise malicious traffic, making traditional network monitoring less effective. Look for unusual outbound connections, especially to known threat actor infrastructure. Additionally, analyze PowerShell scripts, scheduled tasks, and process injections that may indicate SystemBC deployment. Proactive threat hunting and endpoint monitoring are essential to detecting and mitigating this malware.

Why it matters

SystemBC is a stealthy malware strain known for its proxy and backdoor capabilities, often used by cybercriminals to facilitate ransomware attacks. First reported in 2019, it operates as a SOCKS5 proxy, allowing attackers to route malicious traffic through infected systems while evading detection. The malware is typically delivered via exploit kits, phishing emails, or secondary payloads from other malware families. It enables persistent remote access, executes encrypted commands from a C2 server, and helps adversaries maintain control over compromised networks. SystemBC has been linked to major ransomware operations, making it a significant threat in modern cyberattacks.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
PowerShell 4104 Hunting PowerShell Hunting
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass PowerShell TTP
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Name or Location TTP
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational
Windows Event Log TaskScheduler 201 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1