New Windows Malware Installs Proxies to Hide Malicious Network Traffic: Proofpoint

New malware targeting Windows machines has been discovered. Dubbed as SystemBC, the malware installs SOCKS5 proxies on the infected machines and uses it to push a second piece of malware. According to researchers, the new malware is being advertised by the authors on underground cybercrime forums. It is also being distributed as a part of Fallout and RIG exploit kits. Exploit kits (EK) are Web-based systems that use browser-based vulnerabilities to install malware or send users to malicious webpages that trick them into installing malware.

“SystemBC is a previously undocumented malware that we have recently observed as a payload in both RIG and Fallout exploit kit (EK) campaigns,” researchers at Proofpoint wrote in a blog post. While EK activity has remained quite low relative to its peak in early 2016, they remain important vectors for malware distribution, particularly in regions where Windows piracy is common.

According to a report by ZDNet, SystemBC is essentially an on-demand proxy component for malware operators, which they can deploy on compromised systems to hide malicious traffic.

“SystemBC's main role is to create a SOCKS5 proxy server through which the other malware can create a tunnel to bypass local firewalls, skirt internet content filters, or connect to its command-and-control server without revealing its real IP address,” writes ZDNet.

The malware was first spotted online in May; however, its creators have been advertising it since April.

Proofpoint researchers believe that the presence of the malicious proxy created by SystemBC malware will make it harder to detect using network edge detection. It recommends organisations to patch their systems with latest updates and avoid using older systems that use browser plugins susceptible to malware attacks and exploit kits.