The C2 protocol in BitSight’s Unveiling Socks5Systemz seems to be identical to what’s described in this old BackDoor.TeamViewer.49 blog post by DrWEB from 2016!
They both even use the same RC4 encryption key heyfg645fdhwi, which can be used to decrypt requests and responses from the C2.
André Tavares
𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲
94ee3660c585bc, which decodes into c=idle.
The RC4 cipher is actually reset with every C2 message 🤪🤣 This makes it possible to detect #Socks5Systemz bot checkins with a static signature that looks for GET requests that have a QueryString starting with c=94bf3661c794e3eb1ba4.
It’s also possible to identify the C2 commands from the server without having to decrypt them. Here’s a translation table:
94ee3b6dda83d3ec11fc3742 ➡️ c=disconnect94ee3660c585 ➡️ c=idle94ee2a74cd89ccf1 ➡️ c=updips94ee3c6bc78ed9e10b ➡️ c=connect
One thing that has changed over time, though, is which hard coded DNS servers the malware uses to resolve the C2 servers’ IPs. A blog post by the Russian security company FACCT from 2020 lists the following five hard coded DNS servers in the malware:
Surprisingly, four out of these five DNS servers are still being used by this malware. The only change is that 163.172.91.242 has been replaced with 51.159.66.125.
Here’s an example where the bot attempts to resolve the C2 hostname using all the hard coded name servers, but fails. It then falls back to querying bddns[.]cc over HTTP to resolve the IP address of the C2 server, which works out. The second screenshot shows the bot's c=94bf3661c794e3eb1ba4 checkin command.
The PCAP is from an execution of a malicious EXE (MD5 55a14f9e05962654f774b8129ec4c2ca) on any.run.
Most AV vendors label this malware as #zusy, #ekstak or #staser
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
