Researchers have come across a new proxy malware program that's being delivered by the RIG and Fallout exploit kits as part of a larger campaign to infect victims with malicious payloads such as the Danabot banking trojan.

Proofpoint’s Threat Insight Team began to track the malware, called SystemBC, on June 4 when it was observed being distributed via Fallout EK. Two days later, the researchers spotted more Fallout activity that resulted in the delivery of both SystemBC and the Danabot banking trojan. The then July, SystemBC was seen being distributed by the Amadey Loader, which in turn, was delivered by RIG.

SystemBC is written in C++ and primarily sets up SOCKS5 proxies on victim computers. These proxies can then be used by threat actors to tunnel or hide malicious traffic associated with other malware. The malware encrypts strings related to its C2, severs, DNS servers and port number with a 40-byte XOR key that is stored in memory.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.