This ‘off the shelf’ Tor backdoor malware is now a firm favorite with ransomware operators

SystemBC is making its mark as a popular tool used in high-profile ransomware campaigns.
Written by Charlie Osborne, Contributing Writer

A Remote Access Trojan (RAT) on sale in underground forums has evolved to abuse Tor when maintaining persistence on infected machines. 

On Thursday, Sophos Labs' Sivagnanam Gn and Sean Gallagher revealed ongoing research into the malware, which has been in the wild since 2019. 

Dubbed SystemBC, the RAT has evolved from acting as a virtual private network (VPN) through a SOCKS5 proxy into a backdoor that leverages the Tor network to establish persistence and make tracing connected command-and-control (C2) servers a more difficult task. 

According to the researchers, the Windows-based SystemBC malware is capable of executing Windows commands, script deployment, implementing malicious DLLs, remote administration and monitoring, and establishing backdoors for operators to connect the malware to a C2 in order to receive commands. 

Sophos Labs says that over the course of the year, SystemBC has evolved and features have been enhanced, leading to increased popularity with buyers including ransomware operators. 

See also: Your email threads are now being hijacked by the QBot Trojan

Once deployed, the RAT will copy and schedule itself as a service but will skip this step if Emsisoft antivirus software is detected. A connection to a C2 is then established through a beacon connection to a remote server based at one of two hard-coded domains -- with addresses varying in samples -- as well as a lightweight Tor client. 

"The Tor communications element of SystemBC appears to be based on mini-tor, an open-source library for lightweight connectivity to the Tor anonymized network," the researchers note. "The code of mini-Tor isn't duplicated in SystemBC [...] but the bot's implementation of the Tor client closely resembles the implementation used in the open-source program, including its extensive use of the Windows Crypto Next Gen (CNG) API's Base Crypto (BCrypt) functions."

Over the past few months, SystemBC has been tracked in "hundreds" of deployments, including recent Ryuk and Egregor ransomware attacks. The team says the backdoor was deployed after the cyberattackers obtained access to server credentials in these attacks, with SystemBC acting as a valuable persistence bolt-on to the main malware strains used. 


SystemBC was deployed as an off-the-shelf tool, likely obtained through malware-as-a-service deals made in underground forums, and in some cases, was present on infected machines for days -- or weeks -- at a time.

"SystemBC is an attractive tool in these types of operations because it allows for multiple targets to be worked at the same time with automated tasks, allowing for hands-off deployment of ransomware using Windows built-in tools if the attackers gain the proper credentials," Sophos Labs added. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards