In recent months, Sophos’ incident response team has observed the use of the commoditized SystemBC RAT (Remote Access Tool) in Ryuk and Egregor ransomware attacks. In these attacks, SystemBC is used as a backdoor on systems to move laterally through a victim’s network, allowing it to exfiltrate data and to deploy malicious payloads (including ransomware.)

What Is It?

The Ryuk and Egregor attacks described by Sophos begin with the use of one of several malicious droppers, delivered by spam emails. These are then utilized to deliver Cobalt Strike and SystemBC malware for lateral movement through the victim network. SystemBC is then used to perform data exfiltration and as a delivery mechanism to deploy the ransomware payload. To this point, the attackers have been inside the victim network for up to weeks. When they are satisfied with they have exfiltrated data and compromised enough systems, the previously deployed ransomware is activated to encrypt systems and file servers.

As a RAT, SystemBC comes with all the normally expected functionality. When executed, it reports back to the attacker via the C2 channel: the active Windows username, Windows build number, volume serial number and whether the system is 32-bit or 64-bit. It can execute a variety of different file types sent to it via C2, including executables, DLLs, shellcode, Visual Basic scripts, Windows commands, Windows batch files and PowerShell scripts. Executed malicious code can then use the Tor proxy to communicate with attackers and exfiltrate data.

The use of SystemBC is another example of threat attackers choosing the efficiency of using existing malicious tools as a component of their attack chain – why reinvent the wheel when a suitable tool already exists? This allows them to focus time and effort on their own malware and ransomware in the incidents described here.

The SystemBC RAT was first detailed by researchers from Proofpoint in August 2019, where they saw it been used in conjunction with Fallout and RIG exploit kits. Initial versions are believed to have been sold on Russian dark web marketplaces and created data-handling SOCKS5 proxies on infected systems. These proxies were used to evade detection of C2 traffic by firewalls and other detection mechanisms and to obfuscate the addresses of the C2 sites. Subsequent versions of SystemBC have replaced the use of SOCKS5 proxies with Tor.

How Does It Propagate?

The SystemBC RAT malware does not contain the necessary code to self-propagate. The initial attack vector observed in these attacks is spam with malicious Buer Loader, QBot, Bazar Loader or ZLoader attachments/links.

When/How Did BluVector Detect It?

Four SystemBC samples related to these attacks are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 81 months prior to their release.