The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

SystemBC Now Targeting Linux

Feb 18, 2025 2:05:57 PM / by The Hivemind

SYSTEMBCRelated Families: RIG, Fallout EK

Executive Summary

SystemBC, a RAT that previously only targeted Windows systems was recently observed targeting Linux.

Key Takeaways

  • SystemBC, a RAT that previously only targeted Windows systems was recently observed targeting Linux. 
  • SystemBC is typically delivered via phishing emails or via exploit kits, such as RIG and Fallout EK.
  • Recent updates to SystemBC have made it more stealthy and harder to detect.
  • PolySwarm analysts consider SystemBC to be an evolving threat. 

What is SystemBC?

SystemBC, a RAT that previously only targeted Windows systems, was recently observed targeting Linux.  HackRead reported on this activity. 

SystemBC is a remote access trojan (RAT) written in C. It has been active since at least 2018. SystemBC, which turns infected machines into SOCKS5 proxies, is typically delivered via phishing emails or via exploit kits, such as RIG and Fallout EK. It is rarely the only malware deployed on a victim machine, often used in conjunction with other malware such as ransomware, banking trojans, crypto miners, and infostealers.

The malware’s features include the following:

  • SOCKS5 Proxy Functionality: Allows threat actors to route traffic through infected hosts to evade network detection.
  • Remote Access Capabilities: Enables threat actors to control compromised machines remotely.
  • Persistence Mechanisms: Uses various techniques to maintain a foothold on infected systems.
  • Modular Design: Can be updated with additional payloads to suit the attacker’s needs.
  • C2 Communications: Uses encrypted communication channels to communicate with command-and-control servers.

Recent updates to SystemBC have made it more stealthy and harder to detect. SystemBC is capable of signature-based detection evasion and can detect the presence of virtualized environments. If a virtual environment is detected, the malware can alter its behavior or terminate execution, making analysis more difficult. 

SystemBC has been used in conjunction with high-profile ransomware operations in the past, helping threat actors maintain access to victim networks before executing ransomware payloads. It has also been observed in the hands of initial access brokers who sell entry points to other cybercriminals. The ability to target Linux systems makes SystemBC a threat to enterprise networks large and small. PolySwarm analysts consider SystemBC to be an evolving threat. 

IOCs

PolySwarm has multiple samples of SystemBC.

 

c340e3d3ae7f769b4e88204dd08aa0f7b0145dffafe164d8e09c39b5a6d0d7cb

2a7e13e904f8de0f4eebe3d364f7f1fdd09aa72b2c95db20393cfbb0eb77341d

e39086a052eb2a30199c4badd5954720a4da2beb14d750bb9a15749f52e1cd69

de1091252ebf2ed617e300c40a2c56ccac8a3e1b5c7f0e87a1cc3636766abe51

 

You can use the following CLI command to search for all SystemBC samples in our portal:

$ polyswarm link list -f SystemBC

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Linux, RAT, SystemBC, Evolving Threat

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More