The Swiss Knife - SystemBC | Coroxy

_Overview

SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT, as its uses can be diverse depending on the attacker, making it a versatile tool for Threat Actors. Active since 2018, it has gained significant popularity, finding a warm reception in underground markets where it can be purchased, and its interest has not waned. Incidents involving its usage are recorded annually.

Coroxy achieves execution on target systems through various methods, depending on the group using it. Recorded attacks have involved reconnaissance phases, lateral movement, and the deployment of SystemBC, often complemented with CobaltStrike. In other cases, it has been employed in campaigns through Spear-Phishing, where it is delivered and installed on the victim’s system via loaders or other malware. While the malware’s methodology has evolved, its core functionality remains consistent. In most versions of SystemBC, it seeks to gather system and user information, establish persistence, and then create a Socks5 connection with the Command and Control (C&C) server, transmitting basic information, and waiting for commands or the launch of other malware by the attacker. This provides a backdoor for the attacker to operate from their infrastructure.

As mentioned earlier, numerous groups have been associated with the use of SystemBC over the years. These groups, with many linked to ransomware activities, include:

  • ViceSociety
  • Rhysida
  • GoldDupont
  • FIN12
  • 8BASE
  • PLAY
  • Hive
  • BlackBasta
  • TropicalScoprious (CUBA)
  • RiddleSpider (Avaddon)
  • WizardSpider (Conti, Ryuk)
  • Egregor
  • DarkSide
  • Maze Team (Maze & IcedID)

_Technical Analysis

As previously mentioned, access to the infrastructure and the subsequent use of SystemBC will significantly vary depending on the attacker. Nevertheless, a vast number of samples have been studied, and despite many differences among them, the core functionality remains consistent.

Hence, an illustrative diagram of how it operates based on the conducted research is provided:

image

As mentioned, an extensive analysis of multiple samples has been conducted, and you can find the full report below. However, for those who may not have the time (or inclination) to read 50 pages, the following summary might be helpful.

In the initial execution of one of the samples, what is typically found is the establishment of persistence, either through tasks or more noticeable registry keys, along with the creation of a duplicate of the same SystemBC

image

image

It’s worth noting that some samples, when not accompanied by a loader or another malware that downloads them, might employ a packer or require runtime deobfuscation or extraction. For instance, I encountered a few samples that I had to extract from memory to obtain the SystemBC.

image

Continuing the discussion, when comparing the file launched in a temporary folder, it’s easy to see that it’s an identical copy, which indicates a duplication of the malware. The downside is that the filename is generated dynamically and doesn’t follow any easily detectable pattern.

image

image

To get started, Coroxy exhibits a Mutex control in all the samples I’ve examined. In a general sense, it checks for its existence to ensure that it doesn’t run more than once. If it doesn’t exist, the malware proceeds to launch. Depending on the sample, it might generate a random string for this purpose, or, quite intriguingly, it will deobfuscate (typically using XOR) a domain, which it will later use as a Mutex. This adds an element of complexity.

image

Depending on the sample, you’ll observe how it establishes persistence. This can be achieved through job creation or by creating a registry entry, usually involving the execution of a PowerShell command to run the SystemBC sample.

  • TASK

image
image
image
image
image

  • Registry

image

As I mentioned earlier, it’s common in some versions for SystemBC to launch a version of itself, as some of the initial graphs indicated, in temporary paths like ProgramData, Roaming, or Temp.

image

SystemBC is also known for detecting a2guard and being aware of its presence on the system. This is a useful anti-analysis technique to identify potential antivirus programs or other software that might interfere with its communication or operation. To do this, it takes a snapshot of all processes and iterates through them using ProcessFirst and ProcessNext, searching for this mentioned binary or others.

image

At this stage, SystemBC has achieved persistence, control over running processes, and, as it progresses, it gathers information about the system, while also deobfuscating and decrypting network data it will use for later connections.

image

Once it has determined where it needs to connect, it only has to establish the connection. Typically, it employs a loop to attempt access to the server it identified earlier, along with the corresponding port. This function might vary slightly across versions, but the fundamental behavior is similar.

image

_Intelligence

From the analysis of various samples, although only a selection has been presented in this document, all possible addresses are collected to discover more infrastructure that threat actors may have used in the context of SystemBC or other malware associated with it. This analysis also considers the level of engagement, usage patterns, and the presence in underground markets.

The primary focus was on assessing whether the interest and usage of Coroxy remained relevant. Numerous forum threads were identified where discussions and interactions related to this malware were ongoing.

image

Moreover, there are users inquiring about specific updates and discussing the developer of SystemBC.

image

Infrastructure has been identified where it’s possible to purchase access to the operating system for roughly $350 to $300, which must be paid using a cryptocurrency wallet. These wallets are highly active, receiving daily payments to the various addresses they provide.

image
image
image

Subsequently, an attempt was made to pivot on as many indicators as discovered during the analysis of all the samples, with the aim of locating more infrastructure. Given this malware’s background and its common use by loaders or in intermediate attack stages, it was expected that infrastructure related to other malware would also be found during the investigation. (I’ve gained significant knowledge in these techniques by following the work of individuals like @MichalKoczwara, @TLP_R3D, and @josh_penny, and I’m grateful for their contributions. I recommend following them as well :) )

image

image

Constantly extracting IP addresses and domains, I like to input them into VirusTotal afterward to determine if there’s any connection between them. As you know, such a connection doesn’t necessarily imply a direct relationship, as many hosts can be used by different groups and various types of malware. However, SystemBC is associated with a wide range of loaders and malware, which contributes to the interconnectedness. An example of this complexity can be seen in the following diagram.

image


_Report

Visor de PDF



_Detection Opportunities

  • [TA0002][T1564.003] Execution of hidden powershell
(Process) powershell.exe > (Command) *-windowstyle hidden -Command "&* > (ChildPath) *ProgramData*|*AppData*<RandName>.exe
  • [TA0003][T1547.001] Persistence using socks value in registry
(Registry) HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN > (ValueName) socks5 > (ValueData) powershell*-windowstyle hidden*-Command*
  • [TA0003][T1053] Persistence running tasks using start value
(Process) taskeng.exe > (Path) *ProgramData* | *AppData* > (Command) *ProgramData*|*AppData*\<Randname>.exe start{Number}|start
  • [TA0003][T1053] Persistence creating tasks with random name
(File) <RandName>.job > (Path) *\Windows\Tasks\<RandName>.job
  • [TA0005][T1070.004] Auto-delete function to evade file detection
(Command) cmd.exe*/C*ping*{IP}*-n*{Number}*-w*{Number}*>*Null & Del*
  • [TA0011][T1090] Connection outside through a file in a temporary path
(Path) *ProgramData* | *AppData* > (NetConnection) Public IP {Non common country|Direction}



_IOC

Hash:
c96f8d4d1ee675c3cd1b1cf2670bb9bc2379a6b66f3029b2ffcfdd67c612c499
6f78256f20eb2b5594391095a341f8749395e7566fdd2ddd3a34a0db9bb9f871
E81eb1aa5f7cc18edfc067fc6f3966c1ed561887910693fa88679d9b43258133
97ebef56e3fa3642d0395c00c25975e586089d26632e65422099a5107d375993
ef71c960107ba5034c2989fd778e3fd72d4cdc044763aef2b4ce541a62c3466c
6E57D1FC4D14E7E7C2216085E41C393C9F117B0B5F8CE639AC78795D18DBA730
6b56f6f96b33d0acefd9488561ce4c0b4a1684daf5dde9cc81e56403871939c4
F0073027076729CE94BD028E8F50F5CCB1F0184C91680E572580DB0110C87A82
3d1d747d644420a2bdc07207b29a0509531e22eb0b1eedcd052f85085bef6865
c68035aabbe9b80ace209290aa28b8108cbb03a9d6a6301eb9a8d638db024ad0
c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5
 
Domain:
payload[.]su
mxstat215dm[.]xyz
mxstex725dm[.]xyz
zl0yy[.]ru
r0ck3t[.]ru
 
IP (High confidence):
91[.]191[.]209[.]110
5[.]42[.]65[.]67
45[.]15[.]158[.]40
 
IP (Mid-Low confidence):
178[.]236[.]246[.]117
185[.]174[.]136[.]148
45[.]142[.]122[.]179
178[.]236[.]247[.]39
45[.]142[.]122[.]105
185[.]112[.]83[.]129
185[.]112[.]83[.]164
185[.]112[.]83[.]172
185[.]112[.]83[.]59
5[.]42[.]65[.]67
78[.]153[.]130[.]166
45[.]142[.]122[.]215
91[.]191[.]209[.]110
5[.]188[.]206[.]246
All rights reserved
⬆︎TOP