- SystemBC botnet hijacks VPS servers, making up 80% of its active proxy nodes
- Infected VPS machines relay traffic for phishing, brute-force, and ransomware operations
- Bots generate high-volume traffic daily, often staying active for weeks despite blacklisting
Cybercriminals are increasingly hijacking Virtual Private Servers (VPS) to build high-volume malware proxy networks, experts have warned.
Cybersecurity researchers at Lumen Technologies Black Lotus Labs recently detailed the works of the SyxtemBC botnet, active since early 2019, which has quietly amassed more than 80 command-and-control servers, and maintains an average of 1,500 active bots daily.
What makes this botnet stand out is the fact that nearly 80% of the compromised systems are Virtual Private Servers (VPS).
Cybercrime infrastructure
Usually, a botnet would rely on residential devices (computers, routers, smart home devices, DVRs, cameras, and similar), but SystemBC takes a different approach and exploits servers with dozens, sometimes hundreds, of unpatched vulnerabilities.
“While we could not determine the initial access vector used by SystemBC operators, our research revealed that, on average, each victim shows 20 unpatched CVEs and at least one critical CVE – with one address shown as having over 160 unpatched vulnerabilities,” the researchers explained.
These infected VPS machines are repurposed as proxy relays, enabling threat actors to route enormous volumes of malicious traffic for phishing, brute-force attacks, and ransomware operations, among other things.
To make matters worse, many of these compromised servers remain active for weeks, and 40% stay infected for more than a month.
There are numerous advantages to targeting VPS infrastructure instead of residential endpoints, Lumen further explains. VPS’ offers higher bandwidth, long infection lifespans, and minimal disruption to end users. This allows criminal proxy services, such as REM Proxy, or VN5Socks, to market these bots to other threat groups, including ransomware operators such as AvosLocker, or Morpheus.
Another thing that makes SystemBC stand out is its operators’ complete disregard of stealth. The bots routinely generate gigabytes of traffic per day and are quickly flagged and blacklisted. However, they continue to function as part of sprawling proxy networks.
Lumen has responded by blocking all traffic to and from SystemBC-related infrastructure across its global backbone and has released indicators of compromise to aid defenders, which can be found on this link.
Via BleepingComputer
Add Comment