SystemBC恶意软件家族分析报告

Cybersecurity researchers have shed light on the command-and-control (C2) server of a known malware family called SystemBC.

网络安全研究人员揭示了名为SystemBC的已知恶意软件家族的命令与控制（C2）服务器。

"SystemBC can be purchased on underground marketplaces and is supplied in an archive containing the implant, a command-and-control (C2) server, and a web administration portal written in PHP," Kroll said in an analysis published last week.

“SystemBC可以在地下市场购买，提供一个包含植入物、命令与控制（C2）服务器和用PHP编写的Web管理门户的存档文件，” Kroll在上周发布的一篇分析中说。

The risk and financial advisory solutions provider said it has witnessed an increase in the use of malware throughout Q2 and Q3 2023.

这家风险和财务咨询解决方案提供商表示，它在2023年第二季度和第三季度见证了恶意软件的增加。

SystemBC, first observed in the wild in 2018, allows threat actors to remote control a compromised host and deliver additional payloads, including trojans, Cobalt Strike, and ransomware. It also features support for launching ancillary modules on the fly to expand on its core functionality.

SystemBC于2018年在野外首次被发现，允许威胁行为者远程控制受影响的主机并传递附加的载荷，包括特洛伊木马、Cobalt Strike和勒索软件。它还支持在运行时启动辅助模块，以扩展其核心功能。

A standout aspect of the malware revolves around its use of SOCKS5 proxies to mask network traffic to and from C2 infrastructure, acting as a persistent access mechanism for post-exploitation.

该恶意软件的一个显著特点是其使用SOCKS5代理来掩盖与C2基础设施之间的网络流量，作为后期利用的持续访问机制。

Customers who end up purchasing SystemBC are provided with an installation package that includes the implant executable, Windows and Linux binaries for the C2 server, and a PHP file for rendering the C2 panel interface, alongside instructions in English and Russian that detail the steps and commands to run.

购买SystemBC的客户将获得一个安装包，其中包括植入物可执行文件、C2服务器的Windows和Linux二进制文件，以及用于呈现C2面板界面的PHP文件，还附有详细的英文和俄文说明步骤和运行命令。

The C2 server executables -- "server.exe" for Windows and "server.out" for Linux -- are designed to open up no less than three TCP ports for facilitating C2 traffic, inter-process communication (IPC) between itself and the PHP-based panel interface (typically port 4000), and one for each active implant (aka bot).

C2服务器可执行文件（Windows为"server.exe"，Linux为"server.out"）设计为至少打开三个TCP端口，用于便于C2流量、自身与基于PHP的面板界面之间的进程间通信（通常为端口4000），以及每个活动植入物（又名机器人）一个端口。

The server component also makes use of three other files to record information regarding the interaction of the implant as a proxy and a loader, as well as details pertaining to the victims.

服务器组件还使用其他三个文件记录有关植入物作为代理和加载器的交互以及有关受害者的详细信息。

The PHP-based panel, on the other hand, is minimalist in nature and displays a list of active implants at any given point of time. Furthermore, it acts as a conduit to run shellcode and arbitrary files on a victim machine.

另一方面，基于PHP的面板本质上是简约的，可以在任何给定时间显示活动植入物的列表。此外，它还作为在受害者计算机上运行shellcode和任意文件的通道。

"The shellcode functionality is not only limited to a reverse shell, but also has full remote capabilities that can be injected into the implant at runtime, while being less obvious than spawning cmd.exe for a reverse shell," Kroll researchers said.

Kroll的研究人员表示：“shellcode功能不仅限于反向shell，还具有可以在运行时注入到植入物中的完全远程功能，而且比为反向shell生成cmd.exe不那么明显。”

The development comes as the company also shared an analysis of an updated version of DarkGate (version 5.2.3), a remote access trojan (RAT) that enables attackers to fully compromise victim systems, siphon sensitive data, and distribute more malware.

该公司还分享了对DarkGate更新版本（版本5.2.3）的分析，DarkGate是一种远程访问木马（RAT），它使攻击者能够完全控制受害系统、窃取敏感数据并分发更多恶意软件。

"The version of DarkGate that was analyzed shuffles the Base64 alphabet in use at the initialization of the program," security researcher Sean Straw said. "DarkGate swaps the last character with a random character before it, moving from back to front in the alphabet."

被分析的DarkGate版本在程序初始化时重新排列了使用的Base64字母表，安全研究员Sean Straw表示：“DarkGate将字母表的最后一个字符与随机字符交换，从字母表的末尾向前移动。”

Kroll said it identified a weakness in this custom Base64 alphabet that makes it trivial to decode the on-disk configuration and keylogging outputs, which are encoded using the alphabet and stored within an exfiltration folder on the system.

Kroll表示，它发现了这种自定义Base64字母表的弱点，使得解码磁盘上的配置和键盘记录输出变得非常容易，这些输出使用该字母表进行编码，并存储在系统的一个数据外泄文件夹中。

"This analysis enables forensic analysts to decode the configuration and keylogger files without needing to first determine the hardware ID," Straw said. "The keylogger output files contain keystrokes stolen by DarkGate, which can include typed passwords, composed emails and other sensitive information."

Straw表示：“这种分析使法医分析人员能够在无需首先确定硬件ID的情况下解码配置和键盘记录文件。键盘记录输出文件包含DarkGate窃取的按键，其中可能包括输入的密码、编写的电子邮件和其他敏感信息。”

原文始发于微信公众号（知机安全）：SystemBC恶意软件家族分析报告