Heimdal
Home > Cybersecurity News

SystemBC Malware Used to Target Users by Black Basta-Linked Threat Actors

The Ongoing Social Engineering Campaign Aims to Steal Credentials and Install Malware.

Last updated on August 16, 2024

article featured image

Contents:

“Multiple intrusion attempts” have been connected to an ongoing social engineering campaign purportedly tied to the Black Basta ransomware group, which aims to steal credentials and install a malware dropper named SystemBC.

What Do We Know About the Operation?

According to cybersecurity professionals, the approach is nothing out of the ordinary, following the usual pattern of a social engineering attack, an email bomb followed by an attempt to call the victim and offer a fake solution.

Subsequently, the attack chain persuades the user to download and install AnyDesk, a genuine remote access program that serves as a conduit for the delivery of additional payloads and the exfiltration of private information.

This involves using an application called “AntiSpam.exe” that requests users to provide their Windows login information to finish the update and claims to download email spam filters.

After that, a number of programs, DLL files, and PowerShell scripts are run. These include a SOCKS proxy, SystemBC, and an HTTP beacon built in Golang that connects to a distant server.

It is recommended that all unauthorized remote desktop solutions be banned and that shady calls and messages claiming to be from inside IT professionals be kept out in order to reduce the risk posed by the attack.

The discovery coincides with the emergence of SocGholish (also known as FakeUpdates), GootLoader, and Raspberry Robin as the most often detected loader strains in 2024. These strains serve as stepping stones for ransomware.

These loaders are often offered through subscription models, with monthly fees granting access to regular updates, support, and new features. An advantage offered by this subscription model is that it allows even threat actors with limited technical expertise to mount sophisticated attacks.

If you liked this piece, you can find more on the blog. Follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

Related Articles

2024’s Best RMM Solutions for MSPs: Top 10 Remote IT Management ToolsBlack Basta Buster Utilizes Ransomware Flaw to Recover FilesNew Research Shows Raspberry Robin Can Be Repurposed by Other Threat ActorsMalware as a Service (MaaS). What It Is and How It Can Threaten Your Business?What Is Social Engineering?Ransomware Explained. What It Is and How It Works

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V