SystemBC Infects Over 10,000 Servers and Threatens Governments

The malware operation known as SystemBC continues to raise global concerns, infecting over 10,000 servers worldwide, including government systems. An investigation by the cybersecurity firm Silent Push revealed that, even after the Endgame Operation carried out by Europol in May 2024, the malware not only survived but also evolved.

Researchers have identified a new variant of SystemBC that utilizes the Perl programming language, which was not detected by the 62 antivirus engines evaluated on the VirusTotal platform. "The ongoing activity in forums after the Endgame Operation shows that we did not mark the end of SystemBC," states the Silent Push report.

How SystemBC Works

When a server is infected by SystemBC, the malware does not delete data or attempt to extort the victim immediately. Instead, it transforms the infected machine into a SOCKS5 proxy, acting as an intermediary that relays internet traffic to malicious agents.

This strategy allows the malware to establish a back connection with the criminals' command servers, aiding in the conduct of malicious traffic without being detected. Using RC4 encryption, communications are obfuscated, making it difficult for security systems to identify them.

Global Infection Map

The data reveals that the United States leads with over 4,300 infected IP addresses, followed by Germany (829), France (448), Singapore (419), and India (294). Notably, government servers have been identified in Vietnam and Burkina Faso, where official websites are among the compromised systems.

Persistent and Profitable Infections

Unlike other viruses that spread quickly, infections by SystemBC can last an average of 38 days, with some cases exceeding 100 days. The malware acts as a proxy to obscure criminal activities and as a backdoor, allowing continuous access to the victims' networks.

In many cases, the infection by SystemBC precedes ransomware attacks that encrypt files and demand payment to restore them.

All Roads Lead to Russia

Evidence indicates that the origins of SystemBC are in Russia. The developer, using the pseudonym "psevdo", posts in Russian on hacker forums. The malware was initially documented in 2019 by the security company Proofpoint and has continually adapted, with the new variant featuring code in Russian.

Bulletproof Hosting

The operators of SystemBC use bulletproof hosting services, which ignore complaints and legal orders to remove malicious content. The malware's infrastructure has been traced to providers that operate under weak or nonexistent regulation, offering shelter for criminal activities.

WordPress in Their Sights

Many affected IP addresses are linked to attacks on WordPress-based sites, which are used in about 43% of all websites on the internet. Attackers are exploiting vulnerabilities in outdated plugins or themes, using the SystemBC proxy network.

An analyst describes the operation as on an "industrial scale", where infected machines function as a distributed army, but the attacks utilize high complexity to conceal the criminals' real location.

A Modern Attack

The attack typically begins with infection through vulnerabilities in servers or phishing campaigns. After the infection, SystemBC connects to the command and control servers, allowing attackers to conduct reconnaissance on the victim’s network.

Attackers can steal credentials and exfiltrate sensitive data, paving the way for the final deployment of ransomware.

Window of Opportunity

The average duration of SystemBC infections presents an opportunity for defense. There is a significant window of time for detection and response, as long as organizations actively seek signs of infection.

Silent Push has developed "Future Attack Indicator feeds" for SystemBC, offering updated information on malicious domains and IP addresses, allowing security teams to take preventive actions.

"The key is proactive monitoring," concludes the report. Waiting for alerts from conventional antivirus programs is insufficient in the face of new undetected variants.