Researchers have been tracking a new ransomware tool available on underground hacking forums which has evolved into a Tor proxy and remote control tool that is now being used in the wild called SystemBC

It acts as both a network proxy for concealed communications and as a remote administration tool (RAT) capable of executing Windows commands as well as delivering and executing scripts, malicious executable and dynamic link libraries (DLL).

SystemBC has evolved from acting as virtual private network (VPN) through a SOCKS5 proxy to using the Tor network to encrypt and conceal the destination of command and control traffic.

SystemBC used in recent Ryuk and Egregor ransomware attacks, though it is often used alongside other post-exploitation tools such as Cobalt Strike. It get deployed to servers after attackers had gained access to administrative credentials and moved deeper into a targeted network. Bypasses AV and establish C2C to a remote server

The Tor communications element of SystemBC appears to be based on mini-tor, an open-source library for lightweight connectivity to the Tor anonymized network. The code of mini-Tor isn’t duplicated in SystemBC , But the bot’s implementation of the Tor client closely resembles the implementation used in the open-source program,

As SystemBC is often deployed as an off-the-shelf tool, its is likely that ransomware attackers are acquiring it from malware-as-a-service operations in underground forums. The tool has become increasingly popular among cybercriminals due to the fact that it allows for multiple targets to be worked at the same time.