January 25, 2024 at 11:38AM
Cybersecurity researchers have uncovered details about the SystemBC malware, noting its availability on underground markets and its capability to control compromised hosts, deliver various payloads, and use SOCKS5 proxies to mask network traffic. There is also insight into an updated version of the DarkGate remote access trojan, showcasing weaknesses in its Base64 alphabet.
Key takeaways from the meeting notes:
1. SystemBC, a malware family, is available for purchase on underground marketplaces and has been observed in the wild since 2018. It allows threat actors to remotely control compromised hosts and deliver additional payloads, including trojans, Cobalt Strike, and ransomware.
2. SystemBC uses SOCKS5 proxies to mask network traffic to and from command-and-control (C2) infrastructure, acting as a persistent access mechanism for post-exploitation.
3. Customers who purchase SystemBC are provided with an installation package that includes implant executables, Windows and Linux binaries for the C2 server, a PHP file for the C2 panel interface, and instructions in English and Russian detailing the steps and commands to run.
4. The C2 server executables open up at least three TCP ports for facilitating C2 traffic and inter-process communication between itself and the PHP-based panel interface, as well as a port for each active implant (bot).
5. The PHP-based panel is minimalist in nature and acts as a conduit to run shellcode and arbitrary files on a victim machine, enabling full remote capabilities that can be injected into the implant at runtime.
6. An updated version of DarkGate (version 5.2.3), a remote access trojan (RAT), has also been analyzed. DarkGate swaps the Base64 alphabet in use at the initialization of the program, making it possible for forensic analysts to decode the configuration and keylogger files without needing to first determine the hardware ID.
7. The keylogger output files of DarkGate contain keystrokes stolen by the malware, including typed passwords, composed emails, and other sensitive information.
If you need any further clarification or additional information, feel free to ask.