A new malware strain is being distributed by threat actors via exploit kits like Fallout and RIG to hide malicious network traffic with the help of SOCKS5 proxies set up on compromised computers.
The malware, provisionally named SystemBC by the Proofpoint Threat Insight Team researchers who found it, uses secure HTTP connections to encrypt the information sent to command-and-control servers by other strains dropped on the infected machines.
“SystemBC is written in C++ and primarily sets up SOCKS5 proxies on victim computers that can then be used by threat actors to tunnel/hide the malicious traffic associated with other malware,” says Proofpoint.
Exploit kit-powered distribution
“In the most recently tracked example, the Fallout exploit is used to download the Danabot banking Trojan and a SOCKS5 proxy which is used on the victim’s Windows system to evade firewall detection of command and control (C2) traffic,” the researchers found.
SOCKS5 proxies also make it possible for the malware operators to bypass Internet content filters and to avoid discovery by hiding the IP addresses involved in the C2 communications.
Before Proofpoint’s report was published, security researchers have also detected samples [1, 2] potentially related to the SystemBC proxy malware and shared information Twitter [1, 2, 3].
The attackers behind the campaigns distributing SystemBC use the exploit kits which drop the proxy malware to also infect their victims with other well-known malicious payloads such as the modular Danabot banking Trojan.
SystemBC was observed by Proofpoint’s researchers while spreading to potential targets via several Fallout EK powered campaigns during June and July.
On June 4, one of the malicious campaigns used malvertising to distribute the SystemBC samples, while another one from June 6 dropped a PowerEnum PowerShell script traditionally used by attackers for device fingerprinting and exfiltrating the collected data to their C2 servers.
However, in this case, PowerEnum has also “been observed instructing the download of Danabot Affid 4 and a proxy malware DLL” by the attackers, later identified as the SystemBC malware.
During July, “Proofpoint researchers observed the proxy malware a third time. This time it was being distributed by the Amadey Loader, which itself was being distributed in a RIG EK campaign.”
Potentially sold on underground marketplace
Proofpoint believes that the SystemBC proxy malware was — and might still be — sold by its authors via an underground marketplace given its widespread distribution via several separate campaigns.
An advertisement written in Russian, found by the researchers on the marketplace they haven’t named, promotes a malware strain called “socks5 backconnect system” which matches SystemBC’s features and functionality.
“To differentiate from other malware levering SOCKS5, we dubbed the new malware ‘SystemBC’ based on the URI path shown in the advertisement’s panel screenshots,” add the Proofpoint researchers.
The SystemBC advertisement lists the following features:
• loader with update function every N hours (for long survivability it is necessary to update the crypts)
• firewall (access to socks only from trusted ip)
• authorization on socks by login and password
• GeoIP (can be configured via maxmind online service (weekly database updates)
• supports regular domains and ip + .bit domains (via your dns or public)
SystemBC’s ad also came with a number of C2 panel screenshots featuring “a list of victim computers, automated updating, and built-in authentication.“
A more in-depth look on this proxy malware’s innards, as well as a list of Indicators of Compromise (IOCs) including malware sample hashes, C2 server domains and IP addresses, are available at the end of Proofpoint’s SystemBC’s analysis.