SystemBC Malware Hijacks VPS Servers as Proxy Gateways
â–¼ Summary
– SystemBC operators target vulnerable commercial VPS servers, maintaining around 1,500 daily bots to route malicious traffic.
– Compromised servers have multiple unpatched vulnerabilities, with an average of 20 security issues and at least one critical flaw.
– The proxy network has been active since 2019 and is used by ransomware gangs and other threat actors to hide command-and-control activity.
– SystemBC supports high-volume traffic for criminal services like REM Proxy and a Russian web-scraping service, with little concern for stealth.
– Infected servers have long lifespans, with nearly 40% remaining compromised for over a month, and one generated 16GB of proxy data in 24 hours.
The operators behind the SystemBC proxy botnet are actively targeting vulnerable commercial virtual private servers, maintaining a daily average of 1,500 compromised systems that serve as gateways for malicious traffic. These hijacked servers, located worldwide, suffer from multiple unpatched security flaws, some with dozens of vulnerabilities, making them ideal targets for threat actors.
Active since at least 2019, SystemBC has become a favored tool among ransomware groups and other cybercriminals. It enables attackers to route malicious communications through infected hosts, effectively masking command-and-control activities and complicating detection efforts.
Researchers at Lumen’s Black Lotus Labs note that the SystemBC network prioritizes volume over stealth. Its operators show little concern for maintaining a low profile, as infected IP addresses remain exposed without obfuscation or rotation. The infrastructure includes more than 80 command-and-control servers that link clients to compromised proxies, and it also fuels other malicious proxy services.
One notable client, REM Proxy, relies on approximately 80% of SystemBC’s bots to offer tiered proxy services. Other significant users include a large Russian web-scraping operation and a Vietnamese proxy network known as VN5Socks or Shopsocks5. Despite these partnerships, SystemBC’s operators primarily use the network to brute-force WordPress credentials, which are later sold to brokers for injecting malicious code into websites.
Nearly 80% of the botnet’s daily active bots consist of compromised VPS systems from major commercial providers. This approach results in extended infection periods, with almost 40% of systems remaining compromised for over a month. Each infected server averages 20 unpatched vulnerabilities, including at least one critical flaw. In one extreme case, a server in Alabama was found to have 161 security issues.
By targeting VPS systems rather than residential proxies, SystemBC ensures high-volume, stable traffic, a key advantage for its users. In a simulated environment, researchers observed a single IP address generating over 16 gigabytes of proxy data in just 24 hours, far exceeding typical proxy network volumes.
A central IP address, 104.250.164[.]214, appears instrumental in victim recruitment and hosts all 180 known SystemBC malware samples. Newly infected servers download a shell script containing Russian-language comments, instructing the system to execute all malware samples simultaneously.
Despite law enforcement efforts such as Operation Endgame, which targeted malware droppers for multiple botnets including SystemBC, the proxy network remains highly active and resilient. Black Lotus Labs has published a detailed technical analysis along with indicators of compromise to help organizations detect and mitigate SystemBC-related threats.
(Source: Bleeping Computer)