Dark Basta-Connected Assailants Target Users with SystemBC Malware

AndyC 15 August 2024

August 14, 2024Ravie LakshmananMalware / Network Security

An active social engineering campaign allegedly associated with the Dark Basta ransomware group has been connected to “multiple intrusion attempts” focusing on conducting crede

Black Basta-Linked Attackers Target Users with SystemBC Malware

August 14, 2024Ravie LakshmananMalware / Network Security

Black Basta-Linked Attackers Target Users with SystemBC Malware

An active social engineering campaign allegedly associated with the Dark Basta ransomware group has been connected to “multiple intrusion attempts” focusing on conducting credential theft and deploying a malware dropper known as SystemBC.

“The initial bait employed by the malevolent actors remains consistent: an email barrage followed by an effort to reach impacted users and present a counterfeit solution,” Rapid7 mentioned, stating “external communication attempts were usually made to the impacted users via Microsoft Teams.”

The assault sequence then persuades the user to download and set up a legitimate remote access software called AnyDesk, which serves as a conduit for deploying subsequent payloads and transferring sensitive information.

This encompasses the utilization of an executable named “AntiSpam.exe” that alleges to download email spam filters and prompts users to input their Windows credentials to finalize the update.

Cybersecurity

This step is succeeded by the execution of various binaries, DLL files, and PowerShell scripts, which consist of a Golang-based HTTP beacon that establishes communication with a remote server, a SOCKS proxy, and SystemBC.

To reduce the threat posed by the attack, it is recommended to block all unauthorized remote desktop solutions and remain vigilant for suspicious phone calls and messages claiming to be from internal IT personnel.

The revelation comes as SocGholish (also known as FakeUpdates), GootLoader, and Raspberry Robin have surfaced as the most frequently observed loader variants in 2024, subsequently serving as a platform for ransomware, according to data from ReliaQuest.

“GootLoader has made it to the top-three chart this year, taking over QakBot as its activities diminish,” the cybersecurity firm stated.

“Malware loaders are frequently promoted on dark web cybercriminal forums like XSS and Exploit, where they are pitched to cybercriminals looking to facilitate network breaches and payload distribution. These loaders are often marketed through subscription models, with monthly fees granting access to regular updates, support, and new functionalities aimed at evading detection.”

An advantage of this subscription-based model is that it enables threat actors with limited technical proficiency to orchestrate sophisticated attacks.

Phishing assaults have also been observed delivering an information stealing malware named 0bj3ctivity Stealer via another loader named Ande Loader as part of a multi-layered delivery mechanism.

“The propagation of the malware through obscured and encrypted scripts, memory injection techniques, and the continuous enhancement of Ande Loader with features like anti-debugging and string obfuscation emphasize the necessity for advanced detection methods and ongoing research,” eSentire highlighted.

Cybersecurity

These offensives represent the most recent additions to a series of phishing and social engineering assaults uncovered in recent times, all while malevolent actors are progressively weaponizing fabricated QR codes for malicious intents –

  • A ClearFake campaign that utilizes compromised web pages to disseminate .NET malware under the guise of downloading a Google Chrome update
  • A campaign employing counterfeit websites pretending to be HSBC, Santander, Virgin Money, and Wise to provide a copy of the AnyDesk Remote Monitoring and Management (RMM) software to Windows and macOS users, subsequently used for data theft
  • A phony website (“win-rar[.]co”) seemingly distributing WinRAR that serves as a conduit for deploying ransomware, cryptocurrency miner, and information stealing malware named Kematian Stealer hosted on GitHub
  • A malvertising campaign on social media that seizes control of Facebook pages to endorse a seemingly legitimate artificial intelligence (AI) photo editor site through paid advertisements, enticing victims to download ITarian’s RMM tool and use it to deploy Lumma Stealer

“The targeting of social media users for malevolent activities underscores the imperative need for robust security measures to safeguard account credentials and prevent unauthorized access,” Trend Micro researchers stated.

Found this article captivating? Follow us on Twitter and LinkedIn for more exclusive content we publish.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

AndyC 20 December 2025
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

AndyC 20 December 2025
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

AndyC 20 December 2025
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

AndyC 19 December 2025
HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

AndyC 19 December 2025

You may have missed

Amazon Warns Perncious Fake North Korea IT Worker Threat Has Become Widespread

Randall Munroe’s XKCD ‘Fifteen Years’

AndyC 20 December 2025
Why AppSec Can’t Keep Up With AI-Generated Code

Google Shutting Down Dark Web Report Met with Mixed Reactions

AndyC 20 December 2025
Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.