Analytics Story: SystemBC
Description
Leverage searches for Dropped Files anomalies, and registry modification to detect SystemBC malware. This threat acts as a backdoor proxy that enables attackers to maintain persistence, evade detection, and facilitate ransomware operations. It often uses SOCKS5 proxies to disguise malicious traffic, making traditional network monitoring less effective. Look for unusual outbound connections, especially to known threat actor infrastructure. Additionally, analyze PowerShell scripts, scheduled tasks, and process injections that may indicate SystemBC deployment. Proactive threat hunting and endpoint monitoring are essential to detecting and mitigating this malware.
Why it matters
SystemBC is a stealthy malware strain known for its proxy and backdoor capabilities, often used by cybercriminals to facilitate ransomware attacks. First reported in 2019, it operates as a SOCKS5 proxy, allowing attackers to route malicious traffic through infected systems while evading detection. The malware is typically delivered via exploit kits, phishing emails, or secondary payloads from other malware families. It enables persistent remote access, executes encrypted commands from a C2 server, and helps adversaries maintain control over compromised networks. SystemBC has been linked to major ransomware operations, making it a significant threat in modern cyberattacks.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
Powershell Script Block Logging 4104 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
|
Sysmon EventID 1 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 11 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 12 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 13 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Windows Event Log Security 4688 | xmlwineventlog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4698 | xmlwineventlog |
XmlWinEventLog:Security |
|
Windows Event Log TaskScheduler 200 | wineventlog |
WinEventLog:Microsoft-Windows-TaskScheduler/Operational |
|
Windows Event Log TaskScheduler 201 | xmlwineventlog |
XmlWinEventLog:Security |
References
- https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc
- https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
- https://hackread.com/systembc-rat-targets-linux-ransomware-infostealers/
- https://hackread.com/infostealers-breach-us-security-military-fbi-hit/
- https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server
- https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c
- https://securelist.com/focus-on-droxidat-systembc/110302/
- https://blogs.blackberry.com/en/2021/06/threat-thursday-systembc-a-rat-in-the-pipeline
Source: GitHub | Version: 1