systembc

6 min read

Free

SystemBC Infrastructure Investigation: Automated Insights in Response to Black Lotus Labs' Report

We independently validated and extended Lumen's SystemBC findings with Chawkr's clustering pipeline. The result: role-based infrastructure profiles, stability metrics, and anomaly scores.

systembcbotnetinfrastructureclusteringthreat-intelligence
CR

By Chawkr Reports

19/09/2025

SystemBC Infrastructure Investigation: Automated Insights in Response to Black Lotus Labs' Report

Executive Summary

Following Black Lotus Labs' SystemBC - Bringing the Noise report, we re-analyzed the same IoCs published on GitHub with Chawkr's automated clustering pipeline to validate and extend the findings. Our approach transforms flat IoC lists into role-based infrastructure clusters, enriched with stability metrics, vulnerability profiles, and anomaly scores.

The analysis confirms Black Lotus Labs' observation of a large, noisy proxy botnet, while adding clarity on infrastructure tiers, provider fingerprints, anomaly signals, and MITRE ATT&CK mapping.

Bottom line: SystemBC's infrastructure reflects systematic, professionally deployed operations, blending legacy Apache-based C2 nodes, noisy Nginx proxy fleets, hardened SSH-only access points, and stealth minimal-service assets.

Key Findings

  • Scale & Composition

    • 118 assets across 13 clusters (validation report baseline).
    • 63 Tier Alpha nodes (Apache 2.4.62 + SSH) = 53% of infra, serving as primary C2/proxy tier.
    • IoCs also tie to REM Proxy infrastructure (cross-service blending).
  • Cluster Roles (validated across multiple views)

    • Apache + SSH dual-service hubs (Clusters 1, 6, 9): C2 + payload hosting.
    • Nginx loader/proxy fleets (Clusters 3, 7): disposable proxies; KEV vulnerable.
    • SSH-only hardened nodes (Cluster 5): operator jump hosts.
    • Minimal/hardened infrastructure (Cluster 8): stealth/fallback.
    • Secondary web-only Apache (2.4.65) (Clusters 4, 11): updated, lower CVE exposure.
  • Vulnerability Posture

    • Apache 2.4.62 fleets: up to ~1,200 CVEs across the full host stack (Apache + OpenSSH + Debian packages, per Shodan CPE enumeration); Apache-core exemplars include CVE-2024-47252, CVE-2025-23048 (mTLS bypass, CVSS 9.1), CVE-2025-49812 (HTTP desync via TLS upgrade).
    • Nginx clusters: exposed to CVE-2023-44487 (HTTP/2 Rapid Reset, KEV).
    • SSH-only nodes: hardened posture, 0 CVEs detected.
    • Minimal clusters: no service exposure.
  • Provider Fingerprints

    • Limited Network LTD dominates Cluster 9 (63.33% assets).
    • Secondary: MNTTR and Internet Security - US OH.
    • Hosting provider concentration contributes attribution.
  • Anomaly & Stability

    • Most clusters coherent ("Good/Very Good"), instability in Cluster -1, 9, 11.
    • Six critical anomaly assets (e.g., 85.206.167.148, 185.25.48.96) show entropy >1.5, which indicates evasion tradecraft.
    • High-priority anomalies overlap with REM Proxy IoCs.

Background

SystemBC is a commoditized proxy/loader malware family documented since 2019, initially seen with RIG and Fallout exploit kits and used to provide SOCKS5 proxying and to download/execute additional payloads. The kit includes Windows & Linux implants, a C2 server, and a PHP admin panel, and is sold/used across criminal ecosystems. Refs: Proofpoint; Malpedia; Kroll.

In September 2025, Black Lotus Labs released "SystemBC - Bringing the Noise". It describes a large SystemBC botnet oriented around high-volume proxy services: 80+ C2s and roughly 1,500 active victim proxies on a typical day. ~80% of these proxies are compromised VPS/cloud servers. That gives the botnet massive bandwidth at the cost of stealth. SystemBC infrastructure was observed feeding multiple commercial proxy services (e.g., REM Proxy) and a web-scraping service. Black Lotus Labs published a GitHub IoC list (dated September 19, 2025) that we used as ground truth for our automated validation. Refs: Black Lotus Labs blog; Black Lotus Labs IoC repo.

Infrastructure Tiers

TierCluster(s)Core TechExposure / VulnsRole
Alpha1, 6, 9Apache 2.4.62 + SSH231–630 high-risk vulnsPrimary C2 / proxies
Beta4, 11Apache 2.4.650 CVEs detectedSecondary web-facing services
Gamma5OpenSSH 9.2p1 onlyHardened postureSSH access / jump hosts
Delta0, 2, 3, 7Nginx web serversCVE-2023-44487 (KEV)Loader / proxy fleets
Epsilon8Minimal servicesNo vulnsStealth / fallback core

Cluster Highlights

Cluster 9: Primary Operational C2/Proxy

  • 30 assets; 63% hosted by Limited Network LTD.
  • Apache 2.4.62 + OpenSSH 9.2p1, ports 80/22/4150/4369.
  • ~1,200 CVEs incl. KEVs.
  • Core control plane → highest disruption priority.

Cluster 5: SSH Access Infrastructure

  • 13 assets, SSH-only with hardened configs.
  • AES128-CTR cipher; consistent hassh fingerprint.
  • Likely operator jump hosts.
  • No CVEs, but anomaly IPs (e.g., 104.250.164.245).

Cluster 8: Specialized / Hardened Core

  • 7 assets, no exposed services.
  • 0 vulnerabilities; common archetype (5.9M matches).
  • Defense-evasion via blending with benign infra.

Cluster Profiles

Cluster Infrastructure Profile: Cluster 4 (Apache Web Services)

CharacteristicTop 5 Findings
Top DifferentiatorsApache 2.4.65 standardization; updated stack
Observed Ports80/tcp (HTTP)
Common ProductsApache 2.4.65, Debian Linux
VulnerabilitiesZero CVEs detected in metadata
Organizations/HostsMulti-provider, no dominant concentration
Analyst Label(s)Web-focused secondary services
Cluster Size~11 assets
Queries (Detection)http.component:"Apache" AND product.version:"2.4.65"
Anomaly SignalsNone – stable

Why it matters: This is updated Apache infrastructure, likely supporting secondary web services with less immediate exposure than primary C2 nodes.

Cluster Infrastructure Profile: Cluster 5 (SSH Access Infrastructure)

CharacteristicTop 5 Findings
Top DifferentiatorsSSH-only exposure; minimal/no web services
Observed Ports22/tcp (SSH)
Common ProductsOpenSSH 9.2p1, Debian Linux
VulnerabilitiesNo CVEs detected (hardened posture)
Encryption & CertsAES128-CTR cipher; curve25519-sha256 KEX; common hassh fingerprint across assets
Organizations/HostsMNTTR; Internet Security – US OH
Analyst Label(s)Hardened SSH access/jumphost infrastructure
Cluster Size13 assets
Queries (Detection)port:22 AND product:"OpenSSH" AND version:"9.2p1 Debian 2+deb12u7" AND has_vuln:false
Anomaly SignalsContains critical anomalies: 104.250.164.245, 176.46.138.234

Why it matters: Likely operator jump nodes. High value for monitoring SSH telemetry and key reuse, as well as lateral movement detection.

Cluster Infrastructure Profile: Cluster 9 (Primary Apache C2 / Proxy)

CharacteristicTop 5 Findings
Top DifferentiatorsLimited Network LTD (63.33% local freq); Apache 2.4.62; OpenSSH 9.2p1; AES128-CTR; multi-port exposure (80/22/4150/4369)
Observed Ports80/tcp (HTTP – 30), 22/tcp (SSH – 30), 4150/tcp (11), 4369/tcp (10)
Common ProductsApache 2.4.62, OpenSSH 9.2p1, Debian Linux
Vulnerabilities~1,200 CVEs total across host stack (Apache 2.4.62 + OpenSSH 9.2p1 + Debian packages, per Shodan CPE enumeration; ≈630 high-risk); Apache-core exemplars include CVE-2024-47252, CVE-2025-23048, CVE-2025-49812
Encryption & CertsSSH AES128-CTR, curve25519-sha256 KEX, chacha20-poly1305
Organizations/HostsLimited Network LTD (63.33%), Internet Security – US OH
ISPsLimited Network LTD concentration; diverse secondary providers
Analyst Label(s)Primary operational C2/proxy infrastructure
Cluster Size30 assets
Queries (Detection)org:"Limited Network LTD" AND http.component:"Apache" AND product.version:"2.4.62" AND port:(80 OR 22 OR 4150 OR 4369) AND product:"OpenSSH" AND version:"9.2p1"
Anomaly SignalsNone — stable operational cluster

Why it matters: Core C2/proxy tier with heavy Apache vulnerability exposure and custom ports (4150/4369). Strong candidates for blocking, takedown, and deep inspection for web shells.

Anomaly Analysis

  • Six critical anomalies: e.g., 85.206.167.148 (entropy 1.61, anomaly score 23.36, 100th percentile).
  • Behavior: cluster-hopping, unstable labels, evasion-aware design.
  • Overlap with REM Proxy IoCs (e.g., 89.39.149.227, 185.25.48.96) strengthens attribution link.
  • Require specialized detection beyond static clustering.

Conclusion

Our automated clustering confirms and extends Black Lotus Labs' assessment:

  • Validated: noisy SystemBC proxy botnet, dominated by Apache C2 → Nginx proxy chains.
  • Extended:
    • Added SSH-only access tier and minimal hardened tier.
    • Quantified stability vs anomaly scores.
    • Identified hosting provider concentration (Limited Network LTD, MNTTR).
    • Highlighted multi-role anomalies overlapping REM Proxy infra.

Defender Priorities

  • Block & monitor Tier Alpha (Clusters 1, 6, 9): vulnerable Apache/SSH hubs.
  • Patch/scan for CVE-2023-44487 on Nginx loader fleets.
  • Track SSH key/cipher use in hardened jump hosts.
  • Investigate anomalies with entropy >1.5 (high-evasion tradecraft).
  • Fingerprint hosting provider clusters (esp. Limited Network LTD).

This method converts noise into structured maps. It gives defenders and CTI teams an actionable view of SystemBC's operational model.

Sources

Comments (0)