The operators of the SystemBC proxy botnet are looking for susceptible business digital non-public servers (VPS) and keep a mean of 1,500 bots day-after-day that present a freeway for malicious visitors.
Compromised servers are situated everywhere in the world and have at the least one unpatched crucial vulnerability, a few of them being tormented by tens of safety points.
SystemBC has been round since at the least 2019 and has been utilized by varied risk actors, together with a number of ransomware gangs, to ship payloads.
It lets attackers route malicious visitors by the contaminated host and conceal command-and-control (C2) exercise to make detection tougher.
SystemBC’s clients
In accordance with researchers at Lumen Expertise’s Black Lotus Labs, the SystemBC proxy community is constructed for quantity with little concern for stealth. It additionally powers different prison proxy networks and has “extraordinarily lengthy common an infection lifetimes.”
Primarily based on the researchers’ findings, neither clients nor operators of SystemBC care about preserving a low profile, because the bots’ IP addresses will not be protected in any approach (e.g. by obfuscation or rotation).
SystemBC has greater than 80 command-and-control (C2) servers, which join purchasers to an contaminated proxy server, and it fuels different proxy community providers.
One malicious service referred to as REM Proxy depends on round 80% of SystemBC’s bots, offering tiered providers to its clients, relying on the required proxy high quality.
A big Russian web-scraping service is one other important SystemBC buyer, together with a Vietnamese-based proxy community referred to as VN5Socks or Shopsocks5.
supply: Black Lotus Labs
Nevertheless, the researchers say that SystemBC operators take advantage of use of it to brute-force WordPress credentials which can be probably offered to brokers who inject websites with malicious code.
Focusing on susceptible VPSs
Nearly 80% of the SystemBC community of 1,500 every day bots consists of compromised VPS methods from a number of “giant business suppliers.”
Black Lotus Labs says that this enables for a longer-than-average an infection lifespan, with almost 40% of the methods staying compromised for greater than a month.
All of the contaminated servers have a number of “easy-to-exploit” vulnerabilities, the typical being 20 unpatched safety points, and at the least one critical-severity one.
The researchers additionally discovered one system in Alabama, which the Censys web intelligence platform and search engine listed as having 161 safety vulnerabilities.
supply: Black Lotus Labs
By compromising VPS methods, SystemBC allows high-volume, steady visitors for its clients, which isn’t potential with residential proxy networks primarily based on SOHO units.
By working the SystemBC malware in a simulated surroundings, the researchers noticed “a selected IP tackle generate an extra of 16 gigabytes of proxy information” in simply 24 hours.
“This quantity of information is an order of magnitude higher than what is usually noticed in typical proxy networks,” stated Black Lotus Labs researchers in a report shared with BleepingComputer.
Primarily based on the corporate’s international IP telemetry, one tackle, 104.250.164[.]214, seems to be on the core of sufferer recruiting exercise and likewise hosts all 180 SystemBC malware samples.
In accordance with the researchers’ evaluation, a newly contaminated server downloads a shell script, which has feedback in Russian and directs the bot to run each SystemBC pattern on the identical time.
The proxy community has been energetic for a very long time and has resisted even regulation enforcement operations, akin to Endgame, which focused the malware droppers for a number of botnets, together with SystemBC.
Black Lotus Labs offers an in depth technical evaluation of the SystemBC proxy malware, together with indicators of compromise, to assist organizations determine compromise makes an attempt or disrupt the operation.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration traits.
