SystemBC malware increasingly used by ransomware groups: here's why

Through the work of a cybersecurity expert, known as the name of REXorit was possible to notice a considerable increase in the spread of multifunctional malware SystemBCalso known as Coroxy o DroxiDat.

This, although active since 2018, has recently been adopted by several ransomware groups as a tool to optimize the spread of attacks. Among the collectives that have leveraged SystemBC in recent weeks and months are some prominent names, such as BlackBasta, Rhysida, ViceSociety e Hive.

To make this malware even more effective, the expert noted how it is spread in combination with CobaltStrikeusing techniques spear phishing or loader to infect victims’ devices.

The multipurpose SystemBC malware offers cybercriminals plenty of room for maneuver

Depending on the group involved, SystemBC is exploited differently. According to the data obtained so far, in any case, there are some recurring techniques among cybercriminals.

Usually, when an executable is used that, when started, creates a double supply of malware on the victim’s device. The persistence of SystemBC, therefore, is also ensured by some specific entries inserted in the system logs which “anchor” the malicious agent to the operating system.

Other common techniques involve the use of a packer o obfuscation systems which do not include the adoption of actual loaders. Some examined samples, then, reveal identical copies of the malware in different folders of the computer or the taking of dynamic names for the files involved in the infection.

In fact, this multifunctional malware is proving to be a valuable weapon in the hands of ransomware groups who, through its use, seek to disorient both computer defense systems and victims how much i security researchers.


Please enter your comment!
Please enter your name here