The SystemBC malware loader has demonstrated remarkable resilience, continuing to operate despite targeted efforts during Europol’s Operation Endgame in May 2024. Cybersecurity firm Silent Push has identified more than 10,000 unique infected IP addresses across a massive botnet infrastructure that shows no signs of slowing down.
Key Findings
Silent Push researchers deployed a custom-built SystemBC tracker that revealed a thriving criminal infrastructure:
- 10,340+ victim IPs identified in a single cluster
- 2,888 average daily active infections
- 38-day average infection persistence, with some exceeding 100 days
- New Perl variant discovered targeting Linux systems with zero antivirus detections
- Government infrastructure compromised in Vietnam and Burkina Faso
What is SystemBC?
First documented by Proofpoint in 2019 (also known as “Coroxy” or “DroxiDat”), SystemBC is a multi-platform proxy malware that converts compromised systems into SOCKS5 proxies. The malware serves two primary purposes:
- Traffic Proxying: Routes malicious traffic through compromised systems to mask attacker infrastructure
- Persistent Backdoor: Maintains external access to infected internal networks for follow-on attacks
The malware uses a “backconnect” architecture with RC4-encrypted custom protocols, enabling threat actors to relay traffic through infected systems while evading detection. Historically, SystemBC has been a precursor to ransomware deployments, making early detection critical.
Global Impact
The infection distribution reveals a heavy focus on hosting infrastructure rather than residential networks:
- United States: 4,300+ infected IPs (largest concentration)
- Germany: 829 infected IPs
- France: 448 infected IPs
- Singapore: 419 infected IPs
- India: 294 infected IPs
Top targeted ASNs include major hosting providers: Network Solutions, UnifiedLayer, Namecheap, GoDaddy, and IONOS. This targeting strategy explains the extended infection durations—hosting IPs remain stable far longer than residential connections.
Government Systems Compromised
Perhaps most concerning, Silent Push identified SystemBC infections affecting government infrastructure:
- Vietnam: IP address 103.28.36[.]105 was found hosting the official provincial government website phutho.duchop[.]gov[.]vn
- Burkina Faso: IP address 196.13.207[.]92 linked to multiple government domains including concours[.]gov[.]bf
Many infected IPs have also been observed conducting WordPress exploitation activity, suggesting attackers are leveraging the botnet for broader web application attacks.
New Linux Variant Evades Detection
Researchers discovered a previously undocumented SystemBC variant written in Perl, specifically designed to target Linux systems. This variant achieved zero detections across all 62 antivirus engines on VirusTotal—a stark reminder that signature-based detection alone is insufficient.
The associated dropper files (SafeObject and StringHash) recursively hunt for writable directories before deploying 264 embedded SystemBC payloads. The code contains Russian-language strings, providing a clue about potential origins.
Bulletproof Hosting Infrastructure
SystemBC command-and-control servers leverage abuse-tolerant bulletproof hosting providers, specifically:
- BTHoster (bthoster[.]com)
- AS213790 (BTCloud)
Despite Operation Endgame’s disruption efforts, the malware’s developer “psevdo” continues posting updates on Russian-language forums, announcing Linux bot and C2 server updates and bug fixes.
Indicators of Compromise (IOCs)
SystemBC C2 IPs:
- 36.255.98[.]159
- 62.60.131[.]191
- 36.255.98[.]179
- 62.60.131[.]184
- 36.255.98[.]152
- 36.255.98[.]160
- 62.60.131[.]187
- 62.60.131[.]204
- 62.60.131[.]180
- 36.255.98[.]165
Malicious SHA256 Hashes:
- SystemBC Perl: c729bf6ea292116b3477da4843aaeec73370e2bd46e7a27674671e9a65fb473a
- SafeObject dropper: 0f5c81eaf35755a52e670c89b9546e7047828d83f346e3c29be1f6958e14a384
- StringHash dropper: da95384032f84228ef62f982f3c0f9e574dc6b06b606db33889ea6a5f93d6ae2
Mitigation Recommendations
- Block known IOCs: Implement blocking for the C2 IPs and file hashes listed above
- Monitor hosting ASNs: Increase monitoring for traffic to/from bulletproof hosting providers
- Patch WordPress: Many infections leverage WordPress exploitation as an entry vector
- Deploy EDR: Signature-based detection missed the new Perl variant entirely
- Watch for SOCKS5 traffic: Unusual proxy behavior may indicate SystemBC infection
Why This Matters
SystemBC’s survival of Operation Endgame demonstrates the challenges law enforcement faces in permanently disrupting criminal infrastructure. The malware’s role as a ransomware precursor makes it a critical indicator—organizations detecting SystemBC activity should assume they may be in the early stages of a larger intrusion chain.
With continued development of new variants and expansion into Linux environments, SystemBC remains an active threat requiring proactive defense strategies beyond traditional signature-based detection.
