- Systembc Botnet Cavates VPS servers that make up 80% of its active proxy nodes
- Infected VPS machines are forwarding traffic to phishing, brute-force and ransomware operations
- Bots generate high -volume traffic daily that often remains active for weeks despite blacklist
Cyber criminals are increasingly hijacking virtual private servers (VPS) to build Malware-Proxy Network with high volume, experts have warned.
CyberSecurity scientists at Lumen Technologies Black Lotus Labs recently detailed the works from the Syxtembc Botnet, active since the beginning of 2019, which has quietly collected more than 80 command and control servers and maintain an average of 1,500 active bots daily.
What makes this botnet stand out is the fact that almost 80% of the compromised systems are virtual private servers (VPS).
Cyber crime infrastructure
Normally, a botnet would trust housing devices (computers, routers, smart home devices, DVRs, cameras and the like), but SystemBC takes a different approach and utilizes servers with dozens, sometimes hundreds, of unknown vulnerabilities.
“Although we could not determine the initial access vector used by SystemBC operators, our research revealed that every victim shows an average of 20 upon CVE’s and at least one critical cve -with an address shown as having over 160 non -mentioned vulnerabilities,” the researchers explained.
These infected VPS machines are reused as proxy relays, allowing threat actors to route huge amounts of malicious traffic to phishing, brute-force attacks and ransomware operations, among other things.
To make things worse, many of these compromised servers remain active for weeks and 40% remain infected for more than a month.
There are several benefits to targeting VPS infrastructure instead of housing endpoint, Lumen explains further. VPS ‘offers higher bandwidth, long infection life and minimal disturbance of end users. This allows criminal proxy services, such as REM -Proxy or VN5Socks, to market these bots to other threat groups, including ransomware operators such as Avoslocker or Morpheus.
Another thing that makes SystemBC stand out is its operators’ complete ignoring of stealth. Bots routinely generate gigabytes of traffic during the day and are marked quickly and blacklisted. However, they still function as part of scattered proxy networks.
Lumen has reacted by blocking all traffic to and from SystembC-related infrastructure across its global spine and has released the compromise indicators to help defenders that can be found at this link.
Via Bleeping computer
