Researchers have come across a new proxy malware program that’s being delivered by the RIG and Fallout exploit kits as part of a larger campaign to infect victims with malicious payloads such as the Danabot banking trojan.
Proofpoint’s Threat Insight Team began to track the malware, called SystemBC, on June 4 when it was observed being distributed via Fallout EK. Two days later, the researchers spotted more Fallout activity that resulted in the delivery of both SystemBC and the Danabot banking trojan. The then July, SystemBC was seen being distributed by the Amadey Loader, which in turn, was delivered by RIG.
SystemBC is written in C++ and primarily sets up SOCKS5 proxies on victim computers. These proxies can then be used by threat actors to tunnel or hide malicious traffic associated with other malware. The malware encrypts strings related to its C2, severs, DNS servers and port number with a 40-byte XOR key that is stored in memory.
“Since this proxy malware was being used in multiple separate campaigns, Proofpoint researchers believe it was very likely that it was being sold in an underground marketplace. Moreover, we found an advertisement from April 2, 2019, on an underground forum that described a malware named “‘socks5 backconnect system,’” the team wrote.
Proofpoint’s conclusion is that the combination of SystemBC’s malicious proxy functionality with mainstream malware creates new challenges for defenders relying on network edge detections to intercept and mitigate threats like banking trojans.