SystemBC Proxy Malware in Gentlemen Ransomware Attacks: Detection and Hardening

Introduction

A recent investigation into the "Gentlemen" encryption-based cyber incident has revealed a shift in tactics: affiliates are now deploying SystemBC, a sophisticated proxy malware, to establish bot-powered command-and-control (C2) infrastructure. With over 1,570 confirmed corporate hosts compromised, this campaign represents a significant escalation. SystemBC is not just a loader; it functions as a SOCKS5 proxy, allowing attackers to tunnel traffic through victim networks, obfuscating their origin and facilitating lateral movement before ransomware deployment. Defenders must prioritize the detection of this specific proxy behavior to disrupt the attack chain before encryption occurs.

Technical Analysis

Threat Overview: SystemBC is a C#-based malware frequently distributed via spam campaigns or exploit kits. In this campaign, it acts as a bridge for the "Gentlemen" ransomware affiliates. Once executed, SystemBC connects to a C2 server to receive instructions and acts as a proxy, forwarding traffic from the attacker to the internal network.

Affected Platforms:

OS: Microsoft Windows (all versions susceptible to binary execution)
Environment: Corporate networks (identified victims)

Attack Chain Breakdown:

Initial Access: Typically delivered via malicious attachments or links leading to dropper payloads.
Execution: The SystemBC binary (often masquerading as a legitimate utility) is executed. It frequently spawns a legitimate Windows process (e.g., powershell.exe or cmd.exe) to execute shell commands or runs as a standalone service.
Persistence: SystemBC often establishes persistence by modifying Registry Run keys or creating a Windows Service.
C2 & Proxying: The malware initiates a connection to the threat actor's server. It configures the host as a proxy node, allowing the attacker to route malicious traffic (e.g., RDP, SMB) through the compromised host, bypassing perimeter firewall controls.
Objective: The proxy access is used to perform reconnaissance, lateral movement, and ultimately deploy the Gentlemen ransomware payload.

Exploitation Status:

Active Exploitation: Confirmed (ITW). Over 1,570 hosts identified as part of this botnet.
CISA KEV: Not explicitly listed as a single CVE, but the malware activity falls under active exploitation indicators.

Detection & Response

The following detection rules focus on the behavioral characteristics of SystemBC, specifically its execution patterns from suspicious directories and its registry persistence mechanisms.

Sigma Rules

YAML

---
title: SystemBC Proxy Persistence via Registry Run Key
id: 8a4c3e10-1b2d-4f3e-9a0d-1c2b3a4d5e6f
status: experimental
description: Detects SystemBC or similar proxy malware establishing persistence via Registry Run keys, often utilizing suspicious paths like Public or ProgramData.
references:
  - https://www.bleepingcomputer.com/news/security/the-gentlemen-ransomware-now-uses-systembc-for-bot-powered-attacks/
author: Security Arsenal
date: 2024/10/24
tags:
  - attack.persistence
  - attack.t1547.001
logsource:
  category: registry_add
  product: windows
detection:
  selection:
    TargetObject|contains:
      - 'Software\Microsoft\Windows\CurrentVersion\Run'
    Details|contains:
      - 'C:\Users\Public\'
      - 'C:\ProgramData\'
  condition: selection
falsepositives:
  - Legitimate software occasionally installed in these directories by IT (rare)
level: high
---
title: Suspicious Process Execution from Public Directory
id: 9b5d4f21-2c3e-5g4f-0b1e-2d3c4e5f6a7g
status: experimental
description: Detects execution of binaries from the C:\Users\Public directory, a common drop location for SystemBC and other malware to avoid user profile restrictions.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2024/10/24
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - 'C:\Users\Public\'
      - 'C:\ProgramData\'
    Image|endswith:
      - '.exe'
  filter:
    Image|contains:
      - 'TeamViewer'
      - 'AnyDesk'
      - 'LogMeIn'
      - 'Chrome'
  condition: selection and not filter
falsepositives:
  - Administrators running tools from public shares
level: medium
---
title: SystemBC Network Connection Anomaly
id: 0c6e5g32-3d4f-6h5g-1c2f-3e4d5f6g7h8i
status: experimental
description: Detects potential SystemBC C2 activity based on suspicious processes initiating network connections to non-standard ports commonly used for proxying.
references:
  - https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2024/10/24
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|contains:
      - 'C:\Users\Public\'
      - 'C:\ProgramData\'
    DestinationPort|startswith:
      - '80'
      - '443'
      - '8080'
  condition: selection
falsepositives:
  - Legitimate web browsers or update services running from unusual paths
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for SystemBC indicators: Processes running from Public/ProgramData initiating network connections
let SuspiciousPaths = dynamic(['C:\\Users\\Public\\', 'C:\\ProgramData\\']);
DeviceProcessEvents
| where FolderPath has_any (SuspiciousPaths)
| where FileName !~ "chrome.exe" and FileName !~ "firefox.exe" and FileName !~ "msedge.exe" // Browser FP reduction
| join kind=inner (
    DeviceNetworkEvents
    | where InitiatingProcessFolderPath has_any (SuspiciousPaths)
    | where RemotePort in (80, 443, 8080) // Common C2 ports
) on DeviceId, SHA256
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort, SHA256
| distinct Timestamp, DeviceName, FileName, RemoteIP, RemotePort

Velociraptor VQL

VQL — Velociraptor

-- Hunt for SystemBC artifacts in filesystem and processes
-- 1. Hunt for executables in Public folders
SELECT FullPath, Size, Mtime
FROM glob(globs="C:/Users/Public/**/*.exe")
WHERE NOT Name =~ "chrome.exe" AND NOT Name =~ "firefox.exe"

-- 2. Hunt for processes running from these locations
SELECT Pid, Name, Exe, Cmdline, Username
FROM pslist()
WHERE Exe =~ "C:\\Users\\Public\\" OR Exe =~ "C:\\ProgramData\\"

-- 3. Check for SystemBC specific registry persistence (Run keys)
SELECT key, value, data, mtime
FROM registry_globs(globs="HKEY_USERS/*/Software/Microsoft/Windows/CurrentVersion/Run/*")
WHERE data =~ "Users\\Public" OR data =~ "ProgramData"

Remediation Script (PowerShell)

PowerShell

<#
.SYNOPSIS
    SystemBC Incident Response Script
.DESCRIPTION
    Identifies and terminates SystemBC related processes and removes persistence mechanisms.
#>

Write-Host "Starting SystemBC remediation..." -ForegroundColor Cyan

# Define suspicious paths
$SuspiciousPaths = @("C:\Users\Public", "C:\ProgramData")
$ProcessesToKill = Get-Process | Where-Object { 
    $SuspiciousPaths -contains (Split-Path $_.Path -Parent) -and 
    $_.Path -notlike "*TeamViewer*" -and 
    $_.Path -notlike "*AnyDesk*"
}

if ($ProcessesToKill) {
    Write-Host "Found suspicious processes. Terminating..." -ForegroundColor Yellow
    foreach ($proc in $ProcessesToKill) {
        try {
            Stop-Process -Id $proc.Id -Force -ErrorAction Stop
            Write-Host "Terminated process: $($proc.Path)" -ForegroundColor Green
        } catch {
            Write-Host "Failed to terminate process ID $($proc.Id): $($_.Exception.Message)" -ForegroundColor Red
        }
    }
} else {
    Write-Host "No suspicious processes found in target paths." -ForegroundColor Green
}

# Remove Registry Persistence (Run Keys)
$RunKeys = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
)

Write-Host "Checking Registry persistence..." -ForegroundColor Cyan

foreach ($key in $RunKeys) {
    if (Test-Path $key) {
        Get-Item $key | ForEach-Object {
            $_.Property | ForEach-Object {
                $propValue = (Get-ItemProperty -Path "$key\$_" -ErrorAction SilentlyContinue).$_
                if ($propValue -like "*Users\Public*" -or $propValue -like "*ProgramData*") {
                    Write-Host "Removing persistence value: $_ from $key" -ForegroundColor Yellow
                    Remove-ItemProperty -Path $key -Name $_ -Force -ErrorAction SilentlyContinue
                }
            }
        }
    }
}

Write-Host "Remediation complete. Please perform a full AV scan." -ForegroundColor Cyan

Remediation

To fully remediate the SystemBC threat associated with the Gentlemen campaign, execute the following steps immediately:

Isolate Affected Hosts: Disconnect identified victims from the network immediately to prevent lateral movement via the SystemBC proxy.
Terminate Malicious Processes: Use the PowerShell script provided above or an EDR solution to kill processes originating from C:\Users\Public or C:\ProgramData that are not verified binaries.
Remove Persistence: Audit the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry hives. Remove any entries pointing to executables in the aforementioned directories.
Credential Reset: SystemBC often acts as a conduit for credential theft (e.g., Mimikatz). Assume all credentials cached on the infected host are compromised. Force a password reset for all accounts used on the machine, specifically focusing on domain admin credentials.
Network Blocking: Review firewall logs for outbound connections to the C2 infrastructure identified during the investigation. Block the associated IP addresses and domains at the perimeter.
Vendor Advisory: Continue monitoring updates from CISA and the original reporter regarding the specific IOCs (Indicators of Compromise) for the "Gentlemen" affiliates, as C2 domains frequently rotate.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub