Backconnecting the Dots:

A Deep Dive into the SYSTEMBC Ecosystem

Zander Work | Zach Riddle

SYSTEMBC is a long-standing, malware-as-a-service (MaaS) operation that has been developed and sold by the actor “psevdo” on multiple underground forums since 2018. The malware has been used by over 20 different threat clusters tracked by Mandiant, including several prominent ransomware operators, such as FIN12, UNC2727, and UNC2198. In this talk, we take an in-depth look at the evolution of one of the most prominent cyber criminal intrusion tools of the last 5 years, examining notable users, case studies, and analyzing revenue obtained from the operation. Our analysis fuses intrusion data, infrastructure tracking, forum activity, and cryptocurrency analysis to peel back the layers of this malware operation, which has facilitated several of the most notorious financially motivated intrusion groups in recent years.