SystemBC Malware: A Persistent Proxy and RAT Tool in Ransomware Attacks
SystemBC, also known as Coroxy, is a long-standing Windows malware family first detected in exploit kits around 2018–2019. Initially a secondary payload, it has since evolved into a widely used commodity tool, frequently deployed alongside loaders like Buer, QBot, and Emotet. Its lightweight, modular design and dual functionality as both a SOCKS5 proxy and remote-access trojan (RAT) make it a favored component in ransomware operations, including those linked to Ryuk, Conti, Egregor, BlackBasta, Play, and Rhysida.
The malware follows a predictable infection lifecycle: after initial access, it copies itself into a randomly named file under %ProgramData%, establishes persistence via a registry Run key and scheduled task, and employs anti-detection measures such as skipping installation if security software like Emsisoft’s a2guard.exe is detected. Some variants use in-memory droppers to unpack secondary binaries, either injecting them into processes or executing them from disk.
SystemBC’s defining feature is its SOCKS5 proxy capability, which allows attackers to route command-and-control (C2) and exfiltration traffic through compromised hosts. Newer versions increasingly use Tor for anonymity, blending malicious traffic with legitimate enterprise flows to evade detection. Operators manage live SOCKS sessions via a control panel that supports auto-updates, authentication, and tens of thousands of simultaneous connections.
Early versions relied on encrypted beacons (RC4-encrypted host/user data) for C2 communication, while newer builds shift traffic to Tor using embedded directory-authority IPs. The malware supports a range of payloads EXE, DLL, shellcode, VBS, BAT, CMD, and PowerShell many executed in memory to avoid disk writes.
For threat actors, SystemBC is rarely the end goal but a force multiplier, enabling stealthy lateral movement and tool reuse across access-as-a-service chains. Its presence often signals broader compromise, including credential theft and further malware deployment. Defenders are advised to monitor unusual outbound SOCKS/Tor connections, suspicious scheduled tasks, and in-memory execution techniques, while network segmentation and egress filtering can limit its impact.
Source: https://gbhackers.com/systembc-malware-attacks/
BlueVoyant cybersecurity rating report: https://www.rankiteo.com/company/bluevoyant
Conti LLC cybersecurity rating report: https://www.rankiteo.com/company/conti-llc
PLAYSTUDIOS cybersecurity rating report: https://www.rankiteo.com/company/playstudios
Ryuk Labs cybersecurity rating report: https://www.rankiteo.com/company/ryuklabs
"id": "BLUCONPLARYU1782822739",
"linkid": "bluevoyant, conti-llc, playstudios, ryuklabs",
"type": "Ransomware",
"date": "1/2018",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'attack_vector': ['Exploit kits',
'Secondary payload',
'Loaders (Buer, QBot, Emotet)'],
'data_breach': {'data_exfiltration': True},
'date_detected': '2018-2019',
'description': 'SystemBC, also known as Coroxy, is a long-standing Windows '
'malware family first detected in exploit kits around '
'2018–2019. Initially a secondary payload, it has evolved into '
'a widely used commodity tool, frequently deployed alongside '
'loaders like Buer, QBot, and Emotet. Its lightweight, modular '
'design and dual functionality as both a SOCKS5 proxy and '
'remote-access trojan (RAT) make it a favored component in '
'ransomware operations, including those linked to Ryuk, Conti, '
'Egregor, BlackBasta, Play, and Rhysida.',
'impact': {'systems_affected': ['Windows']},
'lessons_learned': 'SystemBC is rarely the end goal but a force multiplier, '
'enabling stealthy lateral movement and tool reuse across '
'access-as-a-service chains. Its presence often signals '
'broader compromise, including credential theft and '
'further malware deployment.',
'motivation': ['Financial gain', 'Data exfiltration', 'Lateral movement'],
'ransomware': {'data_exfiltration': True,
'ransomware_strain': ['Ryuk',
'Conti',
'Egregor',
'BlackBasta',
'Play',
'Rhysida']},
'recommendations': 'Monitor unusual outbound SOCKS/Tor connections, '
'suspicious scheduled tasks, and in-memory execution '
'techniques. Implement network segmentation and egress '
'filtering to limit impact.',
'response': {'enhanced_monitoring': 'Recommended',
'network_segmentation': 'Recommended'},
'title': 'SystemBC Malware: A Persistent Proxy and RAT Tool in Ransomware '
'Attacks',
'type': ['Malware', 'Ransomware']}