Light Dark
August 6, 2019 By David Bisson 2 min read

A new proxy malware called SystemBC is using SOCKS5 proxies to mask traffic for command-and-control (C&C) infrastructure involved in banking Trojan attacks.

On June 4, Proofpoint discovered the SOCKS5 abuser while analyzing a Fallout exploit kit (EK) campaign. Researchers continued to see the Fallout EK as well as RIG EK distributing the malware over the next few weeks. In those campaigns, digital attackers paired the threat primarily with Maze ransomware and the Danabot banking Trojan. Proofpoint ultimately named the malware SystemBC based on the threat’s URI path found, as revealed in an underground marketplace advertisement.

In their analysis, the researchers found that the malware used a SOCKS5 proxy to mask traffic pertaining to C&C infrastructure that used HTTP connections for banking Trojans. This technique helped attackers shield their campaigns from detection — hence the decision to incorporate SystemBC into their attacks involving Danabot and similar threats.

Many Malware Campaigns Leverage SOCKS5 Proxies

SystemBC is only the latest malware to leverage SOCKS5 proxies to avoid detection. Back in March, for instance, Group-IB observed a similar capability in the Android Trojan Gustuff along with the ability to send SMS messages and transfer files. Soon afterward, Fortinet came across BianLian, Android malware that used a module to create a functioning SSH server on an infected device. This was around the same time that Bleeping Computer reported on eCh0raix ransomware and its use of a proxy to communicate with its C&C server.

How to Defend Against a Threat Like SystemBC

Security professionals can help defend against threats like SystemBC by prioritizing all known software vulnerabilities based on risk and creating an appropriate patching schedule. Security teams should implement these efforts within the context of a comprehensive vulnerability management program, a concerted effort that requires organizations to integrate their vulnerability management solutions with their security information and event management (SIEM), threat modeling tools and other utilities to provide a complete picture of risks.

 |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

July 26, 2024

test img

8 min read - What is Lorem Ipsum? Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and…

July 26, 2024

img test

7 min read - test imgWhat is Lorem Ipsum? Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature