In recent months researchers have detected 100s of attempted System BC deployments globally, as part of recent Ryuk & Egregor ransomware attacks.
Commodity malware backdoor System BC has evolved to automate a number of key activities, as well as use the anonymising Tor platform. These overarching changes make it both easier for cyber-criminals to deploy the backdoor, as well as cloak the destination of the command-&-control (C2) traffic.
System BC, a proxy & remote administrative tool, was 1st found in 2019. Researchers believe it is being used by ransomware-as-a-service affiliates due to it being associated with multiple types of ransomware that are deployed in the same way. When executed, the backdoor is used by ransomware players to set up a persistent connection on victim systems.
“While System BC has been around for over a year, we’ve seen both its use & its features continue to evolve,” said Sivagnanam Gn & Sean Gallagher, researchers with Sophos, in a Wed. analysis.
Virtual Private Network
“The most recent samples of System BC carry code that, instead of acting essentially as a virtual private network via a SOCKS5 proxy, uses the Tor anonymising network to encrypt & conceal the destination of command & control traffic.”
Researchers warned that over recent months they have detected 100s of attempted System BC deployments globally. The backdoor has been utilised in recent Ryuk & Egregor ransomware attacks, & has also often been used in combination with post-exploitation tools such as Cobalt Strike, they observed.
System BC Proliferation
Initially, ransomware groups that leverage System BC have been observed 1st infecting systems using spam or phishing emails. These emails then trick the victim into downloading the Buer loader, QBot, ZLoader or other types of malware, which are used for initial exploitation & lateral movement.
Then, attackers use System BC (along with Cobalt Strike, in some cases) in order to scoop up passwords from victim systems – although in some cases, the System BC backdoor was only deployed to servers after attackers gained administrative credentials, & then used it to move deeper into the targeted network, researchers explained.
System BC is used primarily to gain further persistence on the victim system. In what is now a more automated process, the backdoor can deploy Power Shells; .CMD scripts (A CMD script file features 1 or more commands in plain text format that are executed in order to perform various tasks); Windows commands; malicious executables & dynamic link libraries (DLLs).
Researchers outlined that these key activities have been automated now so that operators can launch multiple attacks without the need for hands-on-keyboard activity. They are used for further exploitation & the deployment of the final ransomware (which in recent cases have been Ryuk or Egregor).
System BC Updates
The backdoor also acts both as a network proxy for concealed communications; here a primary change exists in how System BC has evolved.
Earlier, System BC primarily set up SOCKS5 proxies on victim computers, which could then be used by threat players to tunnel/hide the malicious traffic associated with other malware.
A SOCKS5 proxy server creates a Transmission Control Protocol (TCP) connection to another server behind the firewall on the client’s behalf, then exchanges network packets between the client & the actual server.
“With the proxies initialised, the client now begins to retrieve data requested from the C2 via HTTPS,” researchers with Proofpoint suggested in a writeup in 2019, after the malware was discovered.
“The use of SOCKS5 is not a major differentiator; it’s just another potential technology malware authors can use for this purpose & the primary proxy protocol,” they noted then.
Most of the C2 communications with the more recent versions of System BC, however, are over a Tor connection: “The Tor communications element of System BC appears to be based on mini-Tor, an open-source library for lightweight connectivity to the Tor anonymised network,” commented Sophos researchers.
“The code of mini-Tor isn’t directly duplicated in System BC. But the bot’s implementation of the Tor client closely resembles the implementation used in the open-source program, including its extensive use of the Windows Crypto Next Gen (CNG) API’s Base Crypto (BCrypt) functions.”
These changes to the backdoor “are likely an effort to make it more difficult to detect the network traffic associated with command & control of System BC,” Sophos’ Gallagher described.
“I can’t say if it’s more effective to use Tor instead of a SOCKS5 proxy, but it gives the attacker a more obfuscated and encrypted way of sending commands, scripts, & more malware to the bot,” Gallagher explained. “A single SOCKS5 proxy could be quickly blocked, while Tor is more resilient in its routing.”
System BC proves to be another useful tool for cyber-criminals who have been launching increased levels of ransomware attacks. In 2020, in fact, ransomware attacks more than doubled year-over-year (up 109%).