- Systembc Botnet kidnaps VPS servers, representing 80% of its active proxy nodes
- Infected VPS machines transmit phishing traffic, brute force and ransomware operations
- Bots generate high volume traffic daily, they often remain active for weeks despite the blacklist
Cybercriminals are increasingly kidnapping more virtual private servers (VP) to build high volume malware networks, experts have warned.
Cybersecurity researchers at Lumen Technologies Black Lotus Labs recently detailed the work of the Botnet Syxtembc, activated since the beginning of 2019, which has silently accumulated more than 80 command and control servers, and maintains an average of 1,500 active bots per day.
What makes this botnet stand out is the fact that almost 80% of committed systems are virtual private servers (VPS).
Cybercrime infrastructure
In general, a botnet would be based on residential devices (computers, routers, intelligent starting devices, DVR, cameras and the like), but Systembc adopts a different approach and servers are exploited with dozens, sometimes hundreds, of unplanted vulnerabilities.
“While we could not determine the initial access vector used by the SYSTEMBC operators, our research revealed that, on average, each victim shows 20 CVE not blinked and at least one critical CVE, with an address that has more than 160 vulnerabilities without blinking,” explained the researchers.
These infected VPS machines are reused as proxy relays, allowing threat actors to enrich enormous malicious traffic volumes for phishing, brute force attacks and ransomware operations, among other things.
To worsen things, many of these compromised servers remain active for weeks, and 40% remain infected for more than a month.
There are numerous advantages to go to the VPS infrastructure instead of the residential final points, Lumen explains. VPS ‘offers a greater bandwidth, a long shelf life of infection and a minimum interruption for end users. This allows criminal proxy services, such as Rem Proxy or VN5Socks, market these bots to other groups of threats, including ransomware operators such as Avoslocker or Morpheus.
Another thing that makes Systembc stand out is the total contempt of its stealth operators. The bots routinely generate traffic gigabytes per day and are quickly marked and in the blacklist. However, they continue to function as part of the extensive proxy networks.
Lumen has responded by blocking all the traffic to and from the infrastructure related to Systembc in its global spine and has published compromise indicators to help defenders, which can be found in this link.
Through Bleepingcomputer
