New Windows malware sets up proxies on your PC to relay malicious traffic

New SystemBC malware spotted in the wild helping other malware strains bypass firewalls, hide bad traffic.

First of its kind: Malware Godlua abuses new DoH protocol to hide its trace Godlua, a Linux DDoS bot, is the first-ever malware strain seen abusing new DoH (DNS over HTTPS) protocol.

A new malware strain targeting Windows systems is rearing its ugly head. Named SystemBC, this malware installs a proxy on infected computers.

The bad news is that SystemBC never comes alone, and usually, the presence of this malware indicates that a computer was also infected by a second threat.

Proofpoint researchers, who recently analyzed the malware, say its creators are advertising it on underground cybercrime forums to other malware authors.

The SystemBC malware is effectively an on-demand proxy component that other malware operators can integrate and deploy on compromised computers alongside their primary strain.

SystemBC's main role is to create a SOCKS5 proxy server through which the other malware can create a tunnel to bypass local firewalls, skirt internet content filters, or connect to its command-and-control server without revealing its real IP address.

SystemBC sold to other malware operators

Proofpoint researchers said they identified an ad on a hacking forum for an unnamed malware strain that appears to be SystemBC, dated in early April, about a month before the malware was first seen online, in May.

The ad includes images of the SystemBC backend, through which other malware operators can list active installs, update the malware on users' computers, or configure the final IP to which the malware relays traffic from infected hosts.

systembc-malware-cc.png

Image: Proofpoint

While initially the malware has been seen in some isolated campaigns, Proofpoint researchers say they've now seen it in the past two months being distributed via exploit kits, such as RIG and Fallout.

Exploit kits are web-based systems that leverage browser vulnerabilities to plant malware on users computers, or redirect users to web pages that trick users into installing malware-laced apps themselves.

For example, Proofpoint said the operators of the DanaBot banking trojan and the Maze ransomware appear to have used exploit kits to infect hosts and then SystemBC's proxying capabilities to hide their malicious traffic.

Problems for detecting malware infections

Because of its ability to mask bad network traffic generated by other malware, SystemBC is bound to become even more popular as time goes by.

Furthermore, according to the Proofpoint team, SystemBC will also create "new challenges for defenders relying on network edge detections to intercept and mitigate threats like banking Trojans."

Either way, the main takeout here is that if you ever see a SystemBC detection, that means there's a second malware strain on your PC and removing SystemBC won't solve your problems.

Related malware and cybercrime coverage: