Global SystemBC Botnet Found Active Across 10,000 Infected Systems
Summary:
SystemBC, also known as Coroxy or DroxiDat, remains a formidable and persistent threat in the cyber landscape. Originally documented in 2019, this multi-platform malware primarily functions as a SOCKS5 proxy and a backdoor, turning compromised systems into relays that mask malicious traffic. Recent findings by Silent Push have identified a massive botnet consisting of over 10,000 unique infected IP addresses globally, with a significant concentration (over 4,000) located in the United States.
The malware has evolved beyond its initial C++ Windows-based roots; researchers recently uncovered a previously undocumented variant written in Perl, specifically designed to target Linux systems. This expansion into Linux environments allows threat actors to compromise high-performance Virtual Private Servers (VPS) and data center infrastructure, which often lack the same level of endpoint monitoring as corporate workstations. SystemBC is frequently utilized as a "pre-ransomware" tool by high-profile groups, including affiliates of Ryuk, Egregor, and DarkSide, to maintain persistent access and tunnel lateral movement tools like Cobalt Strike into the network.
Security Officer Comments:
The resurgence of SystemBC is a critical indicator of impending high-impact intrusions. Because SystemBC is a "commodity" tool often sold as Malware-as-a-Service (MaaS), it is not tied to a single threat actor but serves as a versatile utility for many. Its primary value to an attacker is anonymization; by routing traffic through a compromised VPS in a reputable data center, an attacker can bypass IP-based reputation filters and "blend in" with legitimate business traffic.
The discovery of the Perl variant is particularly concerning for IT and Critical Infrastructure providers who rely heavily on Linux-based servers for web hosting and backend operations. Analysts should note that SystemBC often arrives via unpatched vulnerabilities (with some infected hosts showing over 160 unpatched CVEs) or through secondary infections from loaders like IcedID or SocGholish. For our members, a SystemBC infection should not be treated as a simple "botnet" nuisance; it should be triaged as a high-priority "pre-cursor" event. Historically, once SystemBC is established, the deployment of ransomware or large-scale data exfiltration follows within days or even hours.
Suggested Corrections:
To defend against SystemBC and the subsequent payloads it facilitates, organizations should implement a multi-layered defense strategy:
https://www.bleepingcomputer.com/ne...omise-nginx-servers-to-redirect-user-traffic/
SystemBC, also known as Coroxy or DroxiDat, remains a formidable and persistent threat in the cyber landscape. Originally documented in 2019, this multi-platform malware primarily functions as a SOCKS5 proxy and a backdoor, turning compromised systems into relays that mask malicious traffic. Recent findings by Silent Push have identified a massive botnet consisting of over 10,000 unique infected IP addresses globally, with a significant concentration (over 4,000) located in the United States.
The malware has evolved beyond its initial C++ Windows-based roots; researchers recently uncovered a previously undocumented variant written in Perl, specifically designed to target Linux systems. This expansion into Linux environments allows threat actors to compromise high-performance Virtual Private Servers (VPS) and data center infrastructure, which often lack the same level of endpoint monitoring as corporate workstations. SystemBC is frequently utilized as a "pre-ransomware" tool by high-profile groups, including affiliates of Ryuk, Egregor, and DarkSide, to maintain persistent access and tunnel lateral movement tools like Cobalt Strike into the network.
Security Officer Comments:
The resurgence of SystemBC is a critical indicator of impending high-impact intrusions. Because SystemBC is a "commodity" tool often sold as Malware-as-a-Service (MaaS), it is not tied to a single threat actor but serves as a versatile utility for many. Its primary value to an attacker is anonymization; by routing traffic through a compromised VPS in a reputable data center, an attacker can bypass IP-based reputation filters and "blend in" with legitimate business traffic.
The discovery of the Perl variant is particularly concerning for IT and Critical Infrastructure providers who rely heavily on Linux-based servers for web hosting and backend operations. Analysts should note that SystemBC often arrives via unpatched vulnerabilities (with some infected hosts showing over 160 unpatched CVEs) or through secondary infections from loaders like IcedID or SocGholish. For our members, a SystemBC infection should not be treated as a simple "botnet" nuisance; it should be triaged as a high-priority "pre-cursor" event. Historically, once SystemBC is established, the deployment of ransomware or large-scale data exfiltration follows within days or even hours.
Suggested Corrections:
To defend against SystemBC and the subsequent payloads it facilitates, organizations should implement a multi-layered defense strategy:
- Vulnerability & Patch Management: Ensure all internet-facing assets—especially Linux-based VPS and web servers—are patched against critical vulnerabilities. The high correlation between unpatched systems and SystemBC infections suggests that automated exploit kits remain a primary delivery vector.
- Network Egress Filtering: Monitor and restrict outbound traffic on non-standard ports. SystemBC often uses custom ports for its C2 communications and SOCKS5 proxying. Implementing a "deny-by-default" policy for outbound traffic from servers can significantly hinder the malware's ability to communicate with its controller.
- Endpoint Detection (EDR): Deploy EDR solutions on both Windows and Linux endpoints. Look for suspicious process behavior such as Perl or PowerShell scripts initiating external network connections, or the creation of scheduled tasks designed to maintain persistence (a common TTP for SystemBC).
- Threat Intelligence Integration: Ingest Indicators of Compromise (IOCs) and "Indicators of Future Attack" (IOFA) into SIEM and SOAR platforms. Proactively blocking known SystemBC C2 infrastructure and monitoring for traffic to "bulletproof" hosting providers can prevent the initial beaconing phase of the infection.
- Audit for Living-off-the-Land (LotL): Since SystemBC can execute commands and scripts directly in memory, security teams should audit the use of legitimate tools like cmd[.]exe, powershell[.]exe, and bash for unusual activity, especially when originating from service accounts or web server processes.
https://www.bleepingcomputer.com/ne...omise-nginx-servers-to-redirect-user-traffic/