Cybercriminals are leveraging the SystemBC proxy and remote administrative tool to carry code that uses the Tor anonymizing network to encrypt and conceal the destination of command and control traffic, according to British cybersecurity company Sophos. In doing so, they can use SystemBC to initiate ransomware-as-a-service (RaaS) attacks.
SystemBC RaaS attacks involve the following steps:
- Malicious spam or phishing emails carrying Buer Loader, QBot, Bazar Loader or ZLoader (Zeus) drop backdoor for exploitation and lateral movement.
- SystemBC executes password-stealing and discovery scripts.
- SystemBC deploys PowerShell, .BAT and .CMD scripts and executables for further exploitation and deployment of ransomware.
SystemBC provides cybercriminals with “a point-and-shoot capability,” so they can remotely perform discovery, exfiltration and lateral movement with packaged scripts and executables, Sophos indicated. It also can be used in combination with Ryuk and Egregor ransomware and deployed to servers after cybercriminals have gained administrative credentials and moved deep into a targeted network.
Along with leveraging SystemBC, Sophos recently reported cybercriminals have been using Dharma ransomware in RaaS attacks.
During Dharma RaaS attacks, cybercriminals use open-source tools and freeware versions of commercial tools, Sophos said. Or, cybercriminals can leverage a menu-driven PowerShell script that installs and launches components required to spread Dharma across a victim’s network.
How to Guard Against SystemBC and Dharma RaaS Attacks
Various anti-malware tools can detect SystemBC RaaS attacks, according to Sophos. However, organizations must keep their malware protection up to date to ensure that they are well-equipped to secure their networks against SystemBC RaaS attacks.
To protect against Dharma RaaS attacks, organizations can deactivate their Internet-facing remote desktop protocol (RDP), Sophos said. They also can install security updates on their network devices regularly and back up sensitive data to offline storage devices.