SystemBC is a Remote Access Trojan (RAT) written in Russian, which has been used as part of the attack chain involved in the DarkSide ransomware attack against Colonial Pipeline. The malware has been observed initializing Ransomware as a Service (RaaS) attacks such as Ryuk and Egregor. This threat was first spotted in early 2019, but it has evolved over time to carry out its communications more discreetly.
This malware has grown in popularity among threat actors for providing a persistent remote connection to a victim’s machine that allows them to drop additional malicious executables and Windows® commands, as well as PowerShell, BAT, and VBS scripts to the infected machine. It is also highly popular among RaaS affiliates due to its use of the TOR browser’s anonymizing network, which encrypts and hides Command and Control (C2) network traffic performed in the attack.
At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill-chain.
By stopping malware at this stage, BlackBerry solutions help organizations increase their resilience. It also helps reduce infrastructure complexity and streamline security management to ensure business, people, and endpoints are secure.
BlackBerry’s Threat Research Team has analyzed the attack methods used by this threat, and in addition to recommending basic cyber hygiene steps, strongly urges BlackBerry customers to ensure their systems have BlackBerry® Protect enabled with a blocking policy and BlackBerry® Optics enabled to detect threats that trigger the rules noted below.
BlackBerry Protect, BlackBerry Optics and BlackBerry Guard stop these attacks.
Our customers can feel confident that our AI-driven security products, as well as our Managed Detection & Response (MDR) solution, are all well-equipped to mitigate the risks posed by threat actors leveraging patch vulnerabilities:
- BlackBerry Protect, our endpoint protection solution, can help shield customers from an attack which leverages the SystemBC malware. BlackBerry Protect stops the attack, protecting customers from further impact.
- BlackBerry Optics, our Endpoint Detection and Response (EDR) solution, will also provide valuable context in an attack which leverages the SystemBC malware. BlackBerry recommends the following Optics rules be activated:
o Unsigned Application Network Beaconing
- BlackBerry® Guard customers are proactively protected, and our 24/7 MDR solution customers receive:
o Alerts monitored in real time
o Corrective policies applied while discovering gaps in policy implementation
o Prioritized threat hunting
o The latest threat intelligence for fast moving threats
The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure.
For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form.
Learn more about the latest cybersecurity threats and threat actors in the BlackBerry 2021 Annual Threat Report.