Windows malware uses proxies to bring in other malware

Researchers at security company Proofpoint have found new malware that focuses on Windows systems. The so-called SystemBC installs a proxy on an infected computer and tries to get other malware.

SystemBC is an on-demand proxy component that other malware creators can integrate and deploy on affected computers, in addition to their primary malware, writes ZDNet.

The main purpose of the now discovered malware is to set up a SOCKS5 proxy server, where other malware can create a tunnel to bypass local firewalls and content filters. It can also connect to a command-and-control server via the proxy, without knowing the actual IP address.

Advertisement for sale

The researchers at Proofpoint say they found an advertisement on a hacking forum. The ad was for malware of which the name was not mentioned. Later it turned out to be SystemBC. The advertisement appeared in April, about a month before the SystemBC was first seen online in May.

The ad shows pictures of the SystemBC backend. It allows other cybercriminals to enter active installations, update the malware on users’ computers, or configure the IP from which the traffic from infected hosts is diverted.

Dissemination

SystemBC was initially only spotted in a few isolated campaigns. However, the researchers now claim that they have seen it distributed over the past two months through exploit kits such as RIG and Fallout. Such kits use vulnerabilities in browsers to infect computers.

For example, the operators of the banking trojan DanaBot and the Maze-ransomware turned out to have used exploit kits to infect hosts, after which SystemBC was used to hide malicious traffic using the proxy capabilities.

It’s precisely because of these capabilities that SystemBC is likely to become even more popular that Proofpoint states that it creates new challenges for defenders who rely on detection at the edge of the network to intercept and destroy threats like banking trojans.