The operators of the SystemBC proxy botnet are hunting for vulnerable commercial virtual private servers (VPS) and maintain an average of 1,500 bots every day that provide a highway for malicious traffic.
Compromised servers are located all over the world and have at least one unpatched critical vulnerability, some of them being plagued by tens of security issues.
SystemBC has been around since at least 2019 and has been used by various threat actors, including several ransomware gangs, to deliver payloads.
It lets attackers route malicious traffic through the infected host and hide command-and-control (C2) activity to make detection more difficult.
SystemBC’s customers
According to researchers at Lumen Technology’s Black Lotus Labs, the SystemBC proxy network is built for volume with little concern for stealth. It also powers other criminal proxy networks and has “extremely long average infection lifetimes.”
Based on the researchers’ findings, neither customers nor operators of SystemBC care about keeping a low profile, since the bots’ IP addresses are not protected in any way (e.g. through obfuscation or rotation).
SystemBC has more than 80 command-and-control (C2) servers, which connect clients to an infected proxy server, and it fuels other proxy network services.
One malicious service called REM Proxy relies on around 80% of SystemBC’s bots, providing tiered services to its customers, depending on the required proxy quality.
A large Russian web-scraping service is another significant SystemBC customer, along with a Vietnamese-based proxy network called VN5Socks or Shopsocks5.
... continue reading