SystemBC Malware Distributed in New Data Theft Campaign Using Fake IT Calls and AnyDesk 

Published on August 15, 2024
Written by:
Lore Apostol
Lore Apostol
Infosec Writer & Editor

Threat actors focusing on stealing credentials and other data ultimately deploy SystemBC malware after a carefully crafted social engineering campaign, per a new security report from Rapid7. This campaign is believed to be linked to the Black Basta ransomware group.

The initial lure was an email followed by an attempt to call impacted users, typically via Microsoft Teams, and offer a fake solution that relied on the user downloading and installing the popular remote access tool AnyDesk.

Once the threat actor gained control of the user’s device, they uploaded and executed payloads and exfiltrated stolen data during the initial stages of the attack. In the studied sample, the hackers employed the 32-bit .NET executable “AntiSpam.exe” as a credential harvester. 

Spam Filter Update Malware
Image Source: Rapid7

It required the victim’s Windows credentials under the false pretense of downloading email spam filters. After validation, the entered credentials and system enumeration information were saved to disk. 

Several binaries and PowerShell scripts were then executed to attempt connecting to the command and control (C2) servers, including Golang HTTP and Socks beacons and the SystemBC dropper and socks proxy.

Exfiltrating User Data
Image Source: Rapid7

Among them was also a Beacon Object File (BOF) converted from a Cobalt Strike module to a standalone executable, and one of the follow-on payloads attempted to exploit the CVE-2022-26923 active directory domain services elevation of privilege flaw to add a machine account for Kerberoasting

The threat actor also used reverse SSH tunnels and the Level Remote Monitoring and Management (RMM) tool for lateral movement and persistence.

Recently, 12 cybercriminals arrested in Moldova used deepfake ads on Facebook featuring politicians and popular personalities. They promoted fake investments in legitimate companies to lure victims into installing AnyDesk and then accessing their banking accounts remotely to drain users’ accounts.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: