Full Report
The operators of the SystemBC proxy botnet are hunting for vulnerable commercial virtual private servers (VPS) and maintain an average of 1,500 bots every day that provide a highway for malicious traffic. [...]
Analysis Summary
# Tool/Technique: SystemBC
## Overview
SystemBC is a malware family that turns compromised Virtual Private Server (VPS) systems into a large-scale proxy highway. It is used by various threat actors, including ransomware gangs, to route malicious traffic and hide Command-and-Control (C2) activity, making detection significantly more difficult. The network focuses on volume rather than stealth.
## Technical Details
- Type: Malware family
- Platform: Primarily targets Linux-based VPS systems (inferred from context targeting 'VPS systems')
- Capabilities: Functionality as a high-volume proxy server, participation in other criminal proxy networks, and brute-forcing WordPress credentials.
- First Seen: At least since 2019
## MITRE ATT&CK Mapping
This summary focuses on the observed behavior of deploying the malware and its use for proxying traffic.
- **TA0011 - Command and Control**
- T1090 - Proxy
- T1090.003 - Multi-hop Proxy (Inferred by supplying proxy services for other criminal networks)
- **TA0003 - Persistence**
- T1543.003 - Windows Service (If Windows VPS are targeted, though context implies Linux via shell script observations)
## Functionality
### Core Capabilities
- **Proxy Service:** Provides a high-volume, stable proxy network for customers, often utilizing compromised commercial VPS infrastructure.
- **Hosting C2 Traffic:** Hides the C2 communications of threat actors by routing traffic through infected hosts.
- **Automation:** Infected bots run all SystemBC samples simultaneously via a downloaded shell script containing Russian comments.
### Advanced Features
- **Fueling Other Services:** The SystemBC network powers substantial other criminal proxy services, notably REM Proxy (utilizing about 80% of bots) and Vietnamese-based VN5Socks/Shopsocks5.
- **Credential Brute-Forcing:** Operators primarily use the network to brute-force WordPress credentials, which are then likely sold to actors engaging in site injection.
- **High Throughput:** Capable of generating extremely large volumes of proxy data (e.g., 16+ GB in 24 hours from one IP).
## Indicators of Compromise
- File Hashes: SHA256 (Specific hashes are not provided in the text, but the text mentions 180 SystemBC malware samples associated with one IP).
- File Names: N/A (Downloads a shell script to initiate execution).
- Registry Keys: N/A
- Network Indicators:
- Core recruiting/hosting IP: `104.250.164[.]214` (Defanged: `104.250.164[.]214`)
- Over 80 associated C2 servers.
- Behavioral Indicators:
- Systems exhibiting consistently high outbound proxy data volume for extended periods.
- Compromised hosts possessing numerous (average 20+) unpatched vulnerabilities, including critical ones.
## Associated Threat Actors
- Various threat actors, including several ransomware gangs.
- Operators of the REM Proxy and VN5Socks/Shopsocks5 services.
- Operators utilizing the network for WordPress credential brute-forcing.
## Detection Methods
- Signature-based detection: Available for the 180 known malware samples (though specific signatures were not listed).
- Behavioral detection: Monitoring for systems, particularly VPS instances, exhibiting unusual, high-volume outbound traffic patterns consistent with bulk proxying.
- YARA rules: Black Lotus Labs reportedly provided analysis and IOCs, which likely include YARA rules (not detailed in this summary).
## Mitigation Strategies
- **Patch Management:** Urgent patching of all known vulnerabilities, especially critical ones, on VPS systems. Infected systems typically have many unpatched issues.
- **Network Monitoring:** Monitor for unexplained, high-volume proxy traffic originating from internal or managed servers.
- **Access Control:** Secure WordPress installations thoroughly to prevent credential brute-forcing.
- **Supply Chain Hardening:** The malware has survived law enforcement operations targeting droppers (like Endgame), suggesting organizations need robust endpoint protection against multi-stage attacks.
## Related Tools/Techniques
- REM Proxy (A large service relying heavily on SystemBC infrastructure)
- VN5Socks / Shopsocks5 (Another proxy network using SystemBC bots)