Researchers at security company Proofpoint have found new malware that focuses on Windows systems. The so-called SystemBC installs a proxy on an infected computer and tries to get other malware.
SystemBC is an on-demand proxy component that other malware creators can integrate and deploy on affected computers in addition to their primary malware, writes ZDNet.
The main purpose of the now discovered malware is to set up a SOCKS5 proxy server, through which other malware can create a tunnel to bypass local firewalls and content filters. It can also connect to a command-and-control server via the proxy, without knowing the real IP address.
Advertisement for sale
The researchers at Proofpoint say they found an advertisement on a hacking forum. The advertisement was for malware of which the name was not mentioned. Later it turned out to be SystemBC. The advertisement appeared in April, about a month before SystemBC was first seen online in May.
The advertisement shows pictures of the backend of SystemBC. The backend allows other cybercriminals to enter active installations, update the malware on users’ computers, or configure the IP to redirect traffic from infected hosts.
SystemBC was initially only spotted in a few isolated campaigns. However, the researchers now state that they have seen it distributed over the past two months via exploit kits such as RIG and Fallout. Such kits use vulnerabilities in browsers to infect computers.
For example, the operators of the banking trojan DanaBot and the Maze-ransomware turned out to have used exploit kits to infect hosts, after which SystemBC was used to hide malicious traffic via the proxy capabilities.
It is precisely because of these features that SystemBC is likely to become even more popular. Proofpoint also states that it creates new challenges for “defenders who rely on detections at the edge of the network to intercept and destroy threats such as banking trojans”.