C2
Fileless
Windows
APT
SystemBC is a multi-purpose malware that turns infected Windows machines into SOCKS5 proxies so attackers can communicate with their command-and-control (C2) servers. Written in C, it uses RC4 over TCP to encrypt its data so detection and analysis are harder.
By setting up a SOCKS5 proxy on compromised systems SystemBC allows attackers to hide their traffic. This proxy allows attackers to route their traffic through the infected host so they can mask their true origin and make it harder for defenders to trace back to them.
Command-and-Control Communication
SystemBC communicates with its C2 servers using a custom binary protocol over TCP, with RC4 encryption. This encrypted communication means commands and data sent between the malware and its operators are confidential and evade intrusion detection systems that inspect unencrypted traffic.
Role in Multi-Stage Attacks
SystemBC is often deployed with other malware. It acts as a facilitator in attack chains. The proxy is used to hide the activities of other payloads like ransomware or data exfiltration tools so attackers can maintain persistence and do more malicious activity without raising immediate suspicion.
Monitor network traffic for unusual proxy activities that may indicate SystemBC presence.
Deploy intrusion detection systems (IDS) to identify and block traffic associated with SystemBC.
Regularly update endpoint security tools to detect and prevent new SystemBC variants.
Implement strict access controls and network segmentation to limit the spread of malware.
