A proxy network known as REM Proxy is powered by malware known as SystemBC, offering about 80% of the botnet to its users, according to new findings from the Black Lotus Labs team at Lumen Technologies.
“REM Proxy is a sizeable network, which also markets a pool of 20,000 Mikrotik routers and a variety of open proxies it finds freely available online,” the company said in a report shared with The Hacker News. “This service has been a favorite for several actors such as those behind TransferLoader, which has ties to the Morpheus ransomware group.”
SystemBC is a C-based malware that turns infected computers into SOCKS5 proxies, allowing infected hosts to communicate with a command-and-control (C2) server and download additional payloads. First documented by Proofpoint in 2019, it’s capable of targeting both Windows and Linux systems.
In a report earlier this January, ANY.RUN revealed that the Linux variant of SystemBC proxy implant is potentially designed for internal corporate services, and that it’s mainly used to target corporate networks, cloud servers, and IoT devices.
As is typically the case with any proxy solution, users of the network reach out to SystemBC C2s on high-numbered ports, which then route the user through to one of the victims before reaching their destination.
According to Lumen, the SystemBC botnet comprises over 80 C2 servers and a daily average of 1,500 victims, of which nearly 80% are compromised virtual private server (VPS) systems from several large commercial providers. Interestingly, 300 of those victims are part of another botnet called GoBruteforcer (aka GoBrut).
Of these, close to 40% of the compromises have “extremely long average” infection lifespans, lasting over 31 days. To make matters worse, the vast majority of the victimized servers have been found to be susceptible to several known security flaws. Each victim has 20 unpatched CVEs and at least one critical CVE on average, with one of the identified VPS servers in the U.S. city of Atlanta vulnerable to more than 160 unpatched CVEs.
“The victims are made into proxies that enable high volumes of malicious traffic for use by a host of criminal threat groups,” the company noted. “By manipulating VPS systems instead of devices in residential IP space, as is typical in malware-based proxy networks, SystemBC can offer proxies with massive amounts of volume for longer periods of time.”
Besides REM Proxy, some of the other customers of the SystemBC include at least two different Russia-based proxy services, one Vietnamese proxy service called VN5Socks (aka Shopsocks5), and a Russian web scraping service.
Crucial to the functioning of the malware is the IP address 104.250.164[.]214, which not only hosts the artifacts but also appears to be the source of attacks to recruit potential victims. Once new victims are ensnared, a shell script is dropped on the machine to subsequently deliver the malware.
The botnet operates with little regard for stealth, with the primary goal being to expand in volume to enlist as many devices as possible into the botnet. One of the largest use cases of the illicit network is by the threat actors behind SystemBC themselves, who use it to brute-force WordPress site credentials.
The end goal is likely to sell the harvested credentials to other criminal actors in underground forums, who then weaponize them to inject malicious code into the sites in question for follow-on campaigns.
“SystemBC has exhibited sustained activity and operational resilience across multiple years, establishing itself as a persistent vector within the cyber threat landscape,” Lumen said. “Originally used by threat actors to enable ransomware campaigns, the platform has evolved to offer the assembly and sale of bespoke botnets.”
“Their model offers considerable advantages: it enables the execution of widespread reconnaissance, spam dissemination, and related activities, allowing an attacker to reserve more selective proxy resources for targeted attacks informed by prior intelligence gathering.”
