Security News > 2020 > December > Ransomware Attackers Using SystemBC Malware With RAT and Tor Proxy
Cybercriminals are increasingly outsourcing the task of deploying ransomware to affiliates using commodity malware and attack tools, according to new research.
The SystemBC RAT has since expanded the breadth of its toolset with new characteristics that allow it to use a Tor connection to encrypt and conceal the destination of C2 communications, thus providing attackers with a persistent backdoor to launch other attacks.
Researchers note that SystemBC has been used in a number of ransomware attacks - often in conjunction with other post-exploitation tools like CobaltStrike - to take advantage of its Tor proxy and remote access features to parse and execute malicious shell commands, VBS scripts, and other DLL blobs sent by the server over the anonymous connection.
It also appears that SystemBC is just one of the many commodity tools that are deployed as a consequence of initial compromise stemming from phishing emails that deliver malware loaders like Buer Loader, Zloader, and Qbot - leading the researchers to suspect that the attacks may have been launched by affiliates of the ransomware operators, or by the ransomware gangs themselves through multiple malware-as-a-service providers.
The rise of commodity malware also points to a new trend where ransomware is offered as a service to affiliates, like it's in the case of MountLocker, where the operators provide double extortion capabilities to affiliates so as to distribute the ransomware with minimal effort.