Major malware adds Linux variant, thousands of hosting servers infected
More than 10,000 IP addresses were found infected with a previously unseen Linux variant of SystemBC, a powerful remote access trojan (RAT) that now mostly targets web servers across various hosting platforms. Some of the compromised servers host government websites, while others are used by hackers for ransomware attacks.
Silent Push, a cybersecurity company, discovered a massive network of hijacked devices turned to proxies for cybercrime. The botnet contains over 10,000 unique IP addresses and is linked to ransomware activity.
The infected IPs have also been reported to have carried out additional cyberattacks against other WordPress websites.
Hackers are using an updated, previously undocumented SystemBC malware variant designed specifically to infect Linux systems. According to the report on the new SystemBC botnet malware variant, none of the 62 antivirus providers on VirusTotal detected it.
“Infections are globally distributed at scale, with the highest concentration of infected IP addresses observed in the United States, followed by Germany, France, Singapore, and India,” Silent Push Preemptive Cyber Defense Analysts said in the report.
SystemBC malware operators received a major blow in 2024 during Europol’s Endpoint operation, when authorities seized servers and domains. However, the development of the malware shows no signs of slowing down.
ANY.RYN says it constantly detects new and modified versions.
“SystemBC is commonly used to proxy traffic through compromised systems or to maintain persistent access to internal networks. In some cases, including observed Windows variants, SystemBC has also been used to deploy additional malware, meaning its presence may indicate broader compromise,” the Silent Push researchers explain.
The botnet focuses on web servers
The researchers warn that cybercriminals with the updated malware “overwhelmingly” target hosting providers rather than residential networks. This allows them to maintain quite a stable pool of IP addresses.
Most of the affected IPs are associated with major hosting providers. The top list includes Network Solutions Hosting, Unified Layer, Namecheap, GoDaddy, IONOS, Amazon, OVH, Hetzner, and DigitalOcean.
The researchers said that 10,340 distinct victim IP addresses were detected within a single cluster, which averages roughly 3,000 active IPs per day.
The Cybernews community is talking about this. Be a part of the conversation.
“On average, systems remained infected for 38 days, with some lasting more than 100 days.”
The researchers discovered multiple government domains on the compromised servers. One of them was hosting the Vietnamese provincial government website phutho.duchop[.]gov[.]vn, while another domain (concours[.]gov[.]bf) on a different IP address was associated with the Government of Burkina Faso.
In total, 4,300 compromised IPs were found in the US, followed by 829 in Germany, 448 in France, 419 in Singapore, and 294 in India.
The malware proxies traffic
The SystemBC botnet relies on a network of rotating command-and-control (C2) servers, which act as proxies. Infected hosts connect to C2 servers, and hackers use them to relay traffic.
Most of the C2 infrastructure was hosted on abuse-tolerant, so-called bulletproof hosting providers.
Silent Push believes the developers of SystemBC are Russian, based on Russian-language code strings and forum posts. SystemBC is a long-running malware family first detected by Proofpoint in 2019.
“We believe SystemBC remains an active threat to major enterprises and expect the Tactics, Techniques, and Procedures (TTPs) of the multiple threat actors leveraging this malware to continue evolving indefinitely,” the report reads.
Unlock more exclusive Cybernews content on YouTube.
