Security News > 2020 > December > Ransomware Gangs Use 'SystemBC' Tor Backdoor in Attacks

Ransomware Gangs Use 'SystemBC' Tor Backdoor in Attacks
2020-12-18 13:31

Researchers at Sophos noticed recently that the operators of multiple ransomware families have been using a backdoor named SystemBC, which provides attackers a connection to compromised devices and which uses the Tor anonymity network to hide command and control communications.

Designed with support for the execution of commands and to allow adversaries to download and execute scripts, executables, and DLLs, the backdoor is continuously evolving, with recent samples having switched from creating a SOCKS5 proxy to using the Tor network for communication purposes.

Over the past months, Sophos researchers identified hundreds of attacks employing SystemBC, some of them being recent Ryuk and Egregor ransomware assaults, in which the backdoor was deployed in combination with other post-exploitation tools, including Cobalt Strike.

The Ryuk and Egregor attacks employing SystemBC were performed either by affiliates of ransomware operators or by the ransomware gangs themselves, through malware-as-a-service service providers.

"SystemBC is an attractive tool in these types of operations because it allows for multiple targets to be worked at the same time with automated tasks, allowing for hands-off deployment of ransomware using Windows built-in tools if the attackers gain the proper credentials," Sophos explains.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/_Mam6LDO5f4/ransomware-gangs-use-systembc-tor-backdoor-attacks

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
TOR 1 2 46 3 4 55