skip to Main Content

Cybercrime, ransomware actors deploy SystemBC as a backdoor

Sophos:SystemBC is been used by the cybercrime ransomware operators as “off-the-shell Tor backdoor”. It acts as a Tor proxy and is exploited for communications, data exfiltration and the download and execution of malicious modules

SystemBC is been used by the cybercrime ransomware operator as “off-the-shell Tor backdoor”. It has been discovered by Sophos cybersecurity experts. It has developed into a fully-fledged remote access tool that acts as a Tor proxy and is being used in ransomware-as-a-service (RaaAS) attacks for communications, data exfiltration and the download and execution of malicious modules. The most recent samples of SystemBC carry code that, instead of acting essentially as a virtual private network via a SOCKS5 proxy, uses the Tor anonymizing network to encrypt and conceal the destination of command and control traffic. It has been used in recent Ryuk (Conti) and Egregor attacks, often used in combination with post-exploitation tools such as Cobalt Strike. In some cases, the malware was deployed to servers after the attackers have gained administrative credentials and moved deep into the targeted network.

Back To Top