A Perl-based malware has been found that no one sees, but it's already everywhere.
Silent Push specialists have detected a wave of infections by theSystemBC malware , which silently turns servers and computers into relay stations for criminal traffic. According to new data, over 10,000 infected IP addresses have been identified worldwide, some of which even belong to government websites. Experts warn that such infections are often the first step before more serious attacks, including ransomware encryption.
SystemBC has been known since 2019 and belongs to a family of proxy-type malware. It turns the infected system into a network intermediary through which attackers route their traffic. Simultaneously, the program opens hidden remote access to the internal network. This allows compromised nodes to be used as staging areas for further infiltration. In some cases, SystemBC has been used to download other malicious modules, including ransomware .
Analysts developed their own method for tracking infections. Using it, they recorded over 10,000 unique infected addresses. The largest number of affected systems are located in the United States, followed by Germany, France, Singapore, and India. However, the infections are distributed widely across the globe and are not confined to any one region.
Discoveries in sensitive infrastructure raised particular concern. Experts discovered infected hosts hosting official government websites of Vietnam and Burkina Faso. This doesn't necessarily mean the portals themselves have been hacked, but rather the server platform where they are hosted has been compromised. This still poses additional risks for visitors and website owners.
The malicious network's control infrastructure is hosted by providers that are lax in responding to abuse complaints. This approach helps network operators maintain control over the nodes for longer. On average, an infected system remained active for approximately 38 days, and some nodes were used for over 100 days straight. Hosting provider servers, rather than home devices, were most often targeted, so infections persist longer due to the infrequent changes in addresses.
The study also uncovered a previously undescribed variant of SystemBC, written in Perl and targeting Linux systems. None of the popular antivirus engines detected it at the time of testing. The malware's author continues to be active on forums even after the 2024 international police operation targeting similar networks. This suggests that the family's evolution has not stopped.
Additional data shows that many infected nodes were used to attack websites running the popular content management system WordPress. SystemBC-based proxies helped conceal the attackers' actual infrastructure and bypass blocking.
Security experts recommend paying special attention to early detection of SystemBC malware on the network. Its appearance often heralds more destructive attack scenarios. Regular server scans, software updates, and network activity monitoring significantly reduce the risk of long-term, undetected compromise.
Silent Push specialists have detected a wave of infections by theSystemBC malware , which silently turns servers and computers into relay stations for criminal traffic. According to new data, over 10,000 infected IP addresses have been identified worldwide, some of which even belong to government websites. Experts warn that such infections are often the first step before more serious attacks, including ransomware encryption.
SystemBC has been known since 2019 and belongs to a family of proxy-type malware. It turns the infected system into a network intermediary through which attackers route their traffic. Simultaneously, the program opens hidden remote access to the internal network. This allows compromised nodes to be used as staging areas for further infiltration. In some cases, SystemBC has been used to download other malicious modules, including ransomware .
Analysts developed their own method for tracking infections. Using it, they recorded over 10,000 unique infected addresses. The largest number of affected systems are located in the United States, followed by Germany, France, Singapore, and India. However, the infections are distributed widely across the globe and are not confined to any one region.
Discoveries in sensitive infrastructure raised particular concern. Experts discovered infected hosts hosting official government websites of Vietnam and Burkina Faso. This doesn't necessarily mean the portals themselves have been hacked, but rather the server platform where they are hosted has been compromised. This still poses additional risks for visitors and website owners.
The malicious network's control infrastructure is hosted by providers that are lax in responding to abuse complaints. This approach helps network operators maintain control over the nodes for longer. On average, an infected system remained active for approximately 38 days, and some nodes were used for over 100 days straight. Hosting provider servers, rather than home devices, were most often targeted, so infections persist longer due to the infrequent changes in addresses.
The study also uncovered a previously undescribed variant of SystemBC, written in Perl and targeting Linux systems. None of the popular antivirus engines detected it at the time of testing. The malware's author continues to be active on forums even after the 2024 international police operation targeting similar networks. This suggests that the family's evolution has not stopped.
Additional data shows that many infected nodes were used to attack websites running the popular content management system WordPress. SystemBC-based proxies helped conceal the attackers' actual infrastructure and bypass blocking.
Security experts recommend paying special attention to early detection of SystemBC malware on the network. Its appearance often heralds more destructive attack scenarios. Regular server scans, software updates, and network activity monitoring significantly reduce the risk of long-term, undetected compromise.
