{
	"id": "fd76adfc-264d-474c-8a47-ababc09d17cd",
	"created_at": "2026-04-06T00:22:02.338041Z",
	"updated_at": "2026-04-10T03:21:34.985019Z",
	"deleted_at": null,
	"sha1_hash": "5d91815c24bb4284bb8e371d207d3c426f29fa9a",
	"title": "SystemBC: RIG \u0026 Fallout Exploit Kits Campaign Analysis | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3003611,
	"plain_text": "SystemBC: RIG \u0026 Fallout Exploit Kits Campaign Analysis |\r\nProofpoint US\r\nBy Kade Harmon | Kafeine | Dennis Schwarz | The Proofpoint Threat Insight Team\r\nPublished: 2019-08-01 · Archived: 2026-04-05 14:38:25 UTC\r\nOverview\r\nSystemBC is a previously undocumented malware that we have recently observed as a payload in both RIG and\r\nFallout exploit kit (EK) campaigns. While EK activity has remained quite low relative to its peak in early 2016,\r\nexploit kits remain important vectors for malware distribution, particularly in regions where Windows piracy is\r\ncommon. The new malware utilizes SOCKS5 proxies to mask network traffic to and from Command and Control\r\n(C\u0026C) infrastructure using secure HTTP connections for well-known banking Trojans such as Danabot, which we\r\nhave also observed distributed in the same EK campaigns.\r\nA related sample of this malware may have been identified by other Infosec researchers on Twitter [2] in mid-October of 2018 distributing AZORult instead of Danabot. SystemBC may also have connections to Brushaloader\r\nand related malware.\r\nCampaign Analysis\r\nWhile analyzing a Fallout EK campaign on June 4, 2019, Proofpoint researchers observed the distribution of a\r\npreviously unseen proxy malware. Most recently, the malvertising-based Fallout exploit kit chain has been used to\r\ndeliver instances of Maze ransomware (Figure 1).\r\nFigure 1: Malvertising-based Fallout EK chain that previously delivered Maze ransomware\r\nOn June 6, 2019, Proofpoint researchers observed the new proxy malware in the wild again [3]. This time it was\r\nbeing delivered via a Fallout EK and PowerEnum campaign (Figure 2) alongside an instance of the Danabot\r\nbanking Trojan (affiliate ID 4).\r\nhttps://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits\r\nPage 1 of 12\n\nFigure 2: Fallout EK dropping PowerEnum, which has been observed instructing the download of Danabot Affid\r\n4 and a proxy malware DLL\r\nBetween July 18 and 22, 2019, Proofpoint researchers observed the proxy malware a third time. This time it was\r\nbeing distributed by the Amadey Loader, which itself was being distributed in a RIG EK campaign.\r\nOther security researchers have also observed the malware being used in the wild. Notably, Vitali Kremez saw a\r\nsample of the malware on May 2, 2019 [3], and @nao_sec observed it in connection with in a third Fallout EK\r\ncampaign on July 13, 2019 [4].\r\nMarketplace Analysis\r\nSince this proxy malware was being used in multiple separate campaigns, Proofpoint researchers believe it was\r\nvery likely that it was being sold in an underground marketplace. Moreover, we found an advertisement from\r\nApril 2, 2019, on an underground forum that described a malware named “socks5 backconnect system” (Figure 3)\r\nthat matched the functionality of the malware seen in the above campaigns. To differentiate from other malware\r\nleveraging SOCKS5, we dubbed the new malware “SystemBC” based on the URI path shown in the\r\nadvertisement’s panel screenshots (Figures 4 and 5).\r\nhttps://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits\r\nPage 2 of 12\n\nFigure 3: Original forum advertisement for SystemBC (translated from Russian)\r\nThe advertisement also contains screenshots of the C\u0026C panel (Figure 4-6). The simple C\u0026C panel boasts a list of\r\nvictim computers, automated updating, and built-in authentication.  The builder allows users to create a set\r\nnumber of samples with custom configurations.\r\nhttps://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits\r\nPage 3 of 12\n\nFigure 4: SystemBC Administrator Panel (as observed in an underground advertisement)\r\nFigure 5: Another section of the SystemBC Administrator Panel (as observed in an underground advertisement)\r\nhttps://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits\r\nPage 4 of 12\n\nFigure 6: SystemBC Builder (as observed in the advertisement noted above)\r\nMalware Analysis\r\nSystemBC is written in C++ and primarily sets up SOCKS5 proxies on victim computers that can then be used by\r\nthreat actors to tunnel/hide the malicious traffic associated with other malware.\r\nConfiguration\r\nImportant strings such as the C\u0026C servers, DNS servers, and port number are encrypted with a 40-byte XOR key\r\nthat is stored in memory. Reference [5] is a GitHub-hosted Ghidra Python script that can be used to decrypt the\r\nconfiguration from the analyzed sample (Figure 7):\r\nFigure 7: Decrypted malware configuration\r\nThe DNS servers are used to resolve “.bit” domains.  The malware calls a function to check whether the server\r\nname ends in “.bit.”  If it does, a DNS query will be generated by iterating through the list of DNS hostnames until\r\nhttps://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits\r\nPage 5 of 12\n\nthe malware finds a valid server  (Figures 8 and 9). It is worth mentioning that although both the screenshots and\r\nsamples reference OpenNIC, they are no longer resolving “.bit” domains [6].\r\nFigure 8: SystemBC performing the initial “.bit” check\r\nFigure 9: The malware checks to see if the last four characters of the server name are “.bit”\r\nCommand and Control\r\nAll packets are encrypted using standard RC4, but the S-Box is initialized in a novel way (Figure 10):\r\nFigure 10: Side-by-side comparison of the SystemBC RC4 S-Box initialization (left) and the more common\r\nimplementation (right)\r\nAn example of the hex-encoded (for visibility) C\u0026C communications are available in Figure 11:\r\nhttps://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits\r\nPage 6 of 12\n\nFigure 11: Example C\u0026C communications (hex-encoded for visibility)\r\nThe client begins the communication by sending a 100-byte packet to the C\u0026C address.\r\nThe packet contains four elements:\r\nBytes 0-49 Plaintext RC4 key\r\nBytes 50-51 Windows build ID\r\nBytes 52-53 Boolean determining if the client is running on an x64 processor\r\nBytes 53-99 Client machine’s account name, with trailing zeroes\r\nIt was derived from the following decompiled code (Figure 12):\r\nhttps://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits\r\nPage 7 of 12\n\nFigure 12: Logic of initial packet creation\r\nThis is verified by decrypting the last 50 bytes of the packet using the first 50 bytes as the RC4 key.  The result is\r\nplaintext data (Figure 13).\r\nFigure 13: Decryption of the initial packet data\r\nThe return packet from the C\u0026C server contains two main segments, a header and data, which are decrypted\r\nseparately using the RC4 key from the first packet.  The header, which makes up the initial 4 bytes of the packet,\r\nhas a type, index, and length field.  The data segment takes up the remaining bytes in the packet and contains\r\ndetails for the creation of a SOCKS5 proxy connection.  A breakdown of the packet is as follows:\r\nByte 0 Type\r\n 1: Indicates the following “data” packet is SOCKS5 proxy traffic and is associated with the\r\nidentified index number.\r\n 0: Create a new proxy and will assign it the given index number. The index number is\r\nassigned by the C\u0026C server and is used to associate traffic to a particular proxy.\r\nhttps://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits\r\nPage 8 of 12\n\n-1: Update malware by downloading an executable, save it with a randomly generated name in\r\nthe TEMP directory, then run the file\r\nByte 1 Index: Tells the infected machine which proxy to use\r\nBytes\r\n2-3\r\nLength: records the number of bytes in the following data chunk\r\nBytes\r\n3-\r\nSOCKS5 packet information\r\nFigure 14: Decryption of the first response packet\r\nReferencing source [7], we can map these values to a structured SOCKS5 client connection request packet to yield\r\n(for example):\r\nVersion: 5\r\nCommand code: 1\r\nReserved: 0\r\nAddress type: 3\r\nLength of domain: 19\r\nDomain name: accounts.google.com\r\nPort number: 443\r\nThe second packet sent from the client to the server contains a 3-byte RC4-encrypted header consisting of an\r\nindex number and data length.  Repeating the above steps, but instead assuming a 3-byte header, we can decrypt a\r\ntypical SOCKS5 server acknowledgment:\r\nVersion: 5\r\nhttps://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits\r\nPage 9 of 12\n\nStatus: 0\r\nReserved: 0\r\nAddress type: 1\r\nIPv4 Address: 00 00 00 00\r\nPort number: 00 00\r\nThis sample goes on to initialize another proxy with a different domain name and an incrementing index value.\r\nWith the proxies initialized, the client now begins to retrieve data requested from the C\u0026C via HTTPS.  We can\r\ndiscern that data with a 3-byte header contains response data sent from the proxy while data sent with a 4-byte\r\nheader are commands from the C\u0026C server.\r\nConclusion\r\nProofpoint researchers have identified a previously undocumented proxy malware, dubbed  \"SystemBC\", being\r\ndistributed by the Fallout and RIG exploit kits.\r\nIn the most recently tracked example, the Fallout exploit is used to download the Danabot banking Trojan and a\r\nSOCKS5 proxy which is used on the victim’s Windows system to evade detection of command and control (C\u0026C)\r\ntraffic. The synergy between SystemBC as a malicious proxy and mainstream malware creates new challenges for\r\ndefenders relying on network edge detections to intercept and mitigate threats like banking Trojans.\r\nProofpoint recommends that organizations continue to remain vigilant in keeping their Windows client and server\r\noperating systems as well as infrastructure devices patched with vendor-recommended updates and patches, to\r\nretire the use of legacy systems which use susceptible browser plugins such as Adobe Flash Player, and to retire\r\nlegacy Windows systems that may be susceptible to exploit kits such as Fallout. \r\nReferences\r\n[1] https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later\r\n[2] https://twitter.com/James_inthe_box/status/1150397404916543488\r\n[3] https://twitter.com/VK_Intel/status/1123867031709863937\r\n[4] https://twitter.com/nao_sec/status/1150038665013235717\r\n[5] https://github.com/EmergingThreats/threatresearch/blob/master/SystemBC/XORscript.py\r\n[6] https://wiki.opennic.org/votings/drop_namecoin\r\n[7] https://samsclass.info/122/proj/how-socks5-works.html\r\nIndicators of Compromise (IOCs)\r\nhttps://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits\r\nPage 10 of 12\n\nIOC\r\nIOC\r\nType\r\nDescription\r\ne8627abf6b2e9ccebbc544d485b4e2bccd22580b4dc7ba8510d4e4e8bba63fc9 SHA256\r\nJune 4, 2019\r\nSystemBC\r\nMalware\r\nmie[.crypto-crypto[.site Hostname\r\nJune 4, 2019\r\nSystemBC\r\nC\u0026C\r\n893305fd80eb324b262406c60496163ed4ff73dad679f1bd543ff703de457f91 SHA256\r\nJune 6, 2019\r\nSystemBC\r\nMalware\r\ngougounu[.site Domain\r\nJune 6, 2019\r\nSystemBC\r\nC\u0026C\r\n3261f0e45d867236d4794b2a3dce38663bb319a6fabec7ae07fac3237e474689 SHA256\r\nJuly 18, 2019\r\nAmadey\r\ndsntu[.top\r\nelienne[.net\r\namnsns[.com\r\nDomains\r\nJuly 18, 2019\r\nAmadey C2\r\nhosted behind\r\nSandiflux\r\nhxxp://mmasl[.com/s1.exe\r\nhxxp://calacs-laurentides[.com/s1.exe\r\nURLs\r\nJuly 18-22,\r\n2019\r\nAmadey Tasks\r\n(SystemBC)\r\n9024a3ec7df6ef51f69c2e452da26d3a45743fd1c49b2d59beeb83be0949fe06 SHA256 July 18, 2019\r\nSystemBC\r\nhttps://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits\r\nPage 11 of 12\n\nMalware\r\n20a7cfcaf76890ad5e959e5662f421f41126d3ee1edace8f5531f8effecb6051 SHA256\r\nJuly 22, 2019\r\nSystemBC\r\nMalware\r\n146.0.75[.34 IP\r\nJuly 18-22,\r\n2019\r\nSystemBC\r\nC\u0026C\r\n6269d9ce2adb19a46bffefe50c9b3e00974c4dc8f4c2dc0156545707efb4f453 SHA256\r\nJuly 24, 2019\r\nSystemBC\r\nMalware\r\nSource: https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits\r\nhttps://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits"
	],
	"report_names": [
		"systembc-christmas-july-socks5-malware-and-exploit-kits"
	],
	"threat_actors": [],
	"ts_created_at": 1775434922,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5d91815c24bb4284bb8e371d207d3c426f29fa9a.pdf",
		"text": "https://archive.orkl.eu/5d91815c24bb4284bb8e371d207d3c426f29fa9a.txt",
		"img": "https://archive.orkl.eu/5d91815c24bb4284bb8e371d207d3c426f29fa9a.jpg"
	}
}