Cybercriminals are increasingly outsourcing the task of deploying ransomware to affiliates using commodity malware and attack tools, according to new research.
In a new analysis published by Sophos today and shared with The Hacker News, recent deployments of Ryuk and Egregor ransomware have involved the use of SystemBC backdoor to laterally move across the network and fetch additional payloads for further exploitation.
Affiliates are typically threat actors responsible for gaining an initial foothold in a target network.
“SystemBC is a regular part of recent ransomware attackers’ toolkits,” said Sophos senior threat researcher and former Ars Technica national security editor Sean Gallagher.
“The backdoor can be used in combination with other scripts and malware to perform discovery, exfiltration and lateral movement in an automated way across multiple targets. These SystemBC capabilities were originally intended for mass exploitation, but they have now been folded into the toolkit for targeted attacks — including ransomware.”
First documented by Proofpoint in August 2019, SystemBC is a proxy malware that leverages SOCKS5 internet protocol to mask traffic to command-and-control (C2) servers and download the DanaBot banking Trojan.
The SystemBC RAT has since expanded the breadth of its toolset with new characteristics that allow it to use a Tor connection to encrypt and conceal the destination of C2 communications, thus providing attackers with a persistent backdoor to launch other attacks.
Researchers note that SystemBC has been used in a number of ransomware attacks — often in conjunction with other post-exploitation tools like CobaltStrike — to take advantage of its Tor proxy and remote access features to parse and execute malicious shell commands, VBS scripts, and other DLL blobs sent by the server over the anonymous connection.
It also appears that SystemBC is just one of the many commodity tools that are deployed as a consequence of initial compromise stemming from phishing emails that deliver malware loaders like Buer Loader, Zloader, and Qbot — leading the researchers to suspect that the attacks may have been launched by affiliates of the ransomware operators, or by the ransomware gangs themselves through multiple malware-as-a-service providers.
“These capabilities give attackers a point-and-shoot capability to perform discovery, exfiltration and lateral movement with packaged scripts and executables — without having to have hands on a keyboard,” the researchers said.
The rise of commodity malware also points to a new trend where ransomware is offered as a service to affiliates, like it’s in the case of MountLocker, where the operators provide double extortion capabilities to affiliates so as to distribute the ransomware with minimal effort.
“The use of multiple tools in ransomware-as-a-service attacks creates an ever more diverse attack profile that is harder for IT security teams to predict and deal with,” Gallagher said. “Defense-in-depth, employee education and human-based threat hunting are essential to detecting and blocking such attacks.”