"Historically, the malware has also been involved in the distribution of ransomware and other malicious payloads, and was targeted by authorities in May 2024 as part of Operation Endgame. Despite the coordinated international law enforcement effort, the botnet's activity did not cease, and its developer was seen posting updates on Russian-language underground forums, Silent Push notes."
"Now, there are more than 10,000 IP addresses generating SystemBC-specific traffic, most of them in the US (4,300). Large numbers of victims were also identified in Germany (829), France (448), Singapore (419), and India (294), the cybersecurity firm says. The malware mainly targets hosting providers, and Silent Push identified high-density IP addresses hosting official domains in Burkina Faso and Vietnam associated with SystemBC infections."
"SystemBC uses a rotating architecture, where the clients connect to internet-exposed command-and-control (C&C) servers that proxy traffic through the infected hosts. Analysis of the C&C communication associated with the botnet revealed the existence of a Perl-based SystemBC variant targeting Linux systems, which in turn showed that the malware's developer is a Russian speaker."
SystemBC, also known as Coroxy and DroxiDat, has operated since at least 2019 as a backdoor and traffic-proxying loader that has distributed ransomware and other payloads. A May 2024 law enforcement takedown under Operation Endgame failed to stop activity, and the developer posted updates on Russian-language underground forums. More than 10,000 IPs now generate SystemBC-specific traffic, with concentrations in the US, Germany, France, Singapore, and India. The malware targets hosting providers and converts infected machines into SOCKS5 proxies to relay traffic and monetize operations. A Perl-based Linux variant and involvement in WordPress attacks were also observed.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]