The REM Proxy network, a significant player in the cybercriminal underground, leverages the SystemBC malware to transform compromised systems into SOCKS5 proxies. This operation boasts an extensive infrastructure, encompassing over 80 command-and-control (C2) servers and infecting approximately 1,500 virtual private servers (VPS) daily. Notably, nearly 80% of these compromised systems are VPS instances from prominent commercial providers.
SystemBC Malware: An Overview
SystemBC is a C-based malware designed to convert infected machines into SOCKS5 proxies. This functionality enables attackers to route malicious traffic through these compromised systems, effectively anonymizing their activities. First identified by Proofpoint in 2019, SystemBC has evolved to target both Windows and Linux platforms, expanding its reach and versatility.
REM Proxy Network: Structure and Operations
The REM Proxy network utilizes SystemBC to establish a vast array of proxies. Users connect to SystemBC C2 servers via high-numbered ports, which then relay the traffic through infected hosts to the intended destinations. This setup not only obscures the origin of the traffic but also provides a robust infrastructure for various malicious activities.
In addition to its primary operations, REM Proxy markets a pool of 20,000 Mikrotik routers and various open proxies sourced from publicly available online resources. This extensive network has attracted multiple threat actors, including those associated with TransferLoader, a group linked to the Morpheus ransomware.
Infection Statistics and Vulnerabilities
The SystemBC botnet’s daily operations involve over 80 C2 servers managing around 1,500 infected systems. A significant portion of these systems are VPS instances from major commercial providers, highlighting the botnet’s focus on high-capacity, reliable infrastructure. Notably, approximately 300 of these infected systems are also part of another botnet known as GoBruteforcer (GoBrut).
A concerning aspect of this botnet is the prolonged infection duration. Nearly 40% of the compromised systems remain infected for over 31 days, indicating a lack of effective detection and remediation measures. Furthermore, these systems are riddled with vulnerabilities, averaging 20 unpatched Common Vulnerabilities and Exposures (CVEs) each, including at least one critical CVE. For instance, a VPS server located in Atlanta, USA, was found to have over 160 unpatched CVEs, underscoring the widespread neglect of security updates.
Broader Implications and Threat Actor Utilization
The extensive proxy network established by SystemBC serves as a conduit for high volumes of malicious traffic, facilitating the operations of various cybercriminal groups. By compromising VPS systems instead of residential IP addresses, SystemBC offers proxies capable of handling substantial traffic volumes over extended periods.
Beyond REM Proxy, SystemBC’s infrastructure supports multiple other services, including at least two Russia-based proxy services, a Vietnamese proxy service known as VN5Socks (Shopsocks5), and a Russian web scraping service. This widespread adoption underscores the malware’s versatility and the demand for such proxy networks in the cybercriminal ecosystem.
Infection Mechanisms and Expansion Strategies
Central to SystemBC’s operations is the IP address 104.250.164[.]214, which hosts the malware artifacts and initiates attacks to recruit new victims. Upon compromising a system, a shell script is deployed to install the malware, effectively integrating the system into the botnet.
The botnet’s expansion strategy prioritizes volume over stealth, aiming to enlist as many devices as possible. One notable application of this network is by the SystemBC operators themselves, who utilize it to brute-force WordPress site credentials. The harvested credentials are likely sold on underground forums, enabling other malicious actors to inject harmful code into compromised websites for subsequent campaigns.
Conclusion
The SystemBC-powered REM Proxy network exemplifies the sophisticated and large-scale operations prevalent in today’s cybercriminal landscape. By exploiting vulnerabilities in VPS systems and leveraging them as proxies, threat actors can conduct extensive malicious activities while evading detection. This scenario underscores the critical need for organizations to implement robust security measures, regularly update systems, and remain vigilant against evolving cyber threats.
