Security researchers have uncovered a command and control server linked to a known proxy malware, revealing a botnet of more than 1,570 compromised systems. The server is associated with threat actors deploying The Gentlemen ransomware as a service operation, according to new findings published by cybersecurity firm Check Point.

Operation and Discovery

The investigation centers on the use of SystemBC, a commodity malware that functions as a SOCKS5 proxy. This tool creates encrypted network tunnels on infected machines, allowing attackers to route malicious traffic and obscure their origin. The discovery of the specific C2 server managing these proxies enabled researchers to map the scale of the infection.

By analyzing the server, Check Point identified over 1,570 unique victim IP addresses. These compromised systems form a botnet that actors behind The Gentlemen ransomware leverage for stealthy communication and payload delivery. The operation represents a significant infrastructure supporting the ransomware’s activities.

Technical Function of SystemBC

SystemBC is not a new threat but remains a popular tool among cybercriminals for its utility. Once installed on a victim’s computer, it establishes a persistent SOCKS5 proxy connection. This connection acts as a relay, letting attackers send commands and data through the victim’s network without directly connecting from their own infrastructure.

This method complicates detection and attribution for security teams. Traffic appears to originate from a legitimate, compromised machine within a corporate network rather than from a known malicious server. The malware is often deployed in the later stages of an attack, following initial access and reconnaissance.

Connection to The Gentlemen RaaS

The Gentlemen is a ransomware as a service operation, meaning its developers lease the malicious software to other criminals, known as affiliates, in exchange for a share of the profits. Affiliates are responsible for breaching networks and deploying the ransomware.

The use of SystemBC by these affiliates highlights a trend toward operational security. By using proxy malware, they add a layer of obfuscation between their own infrastructure and the target networks where the ransomware is ultimately executed. This infrastructure supports data theft, lateral movement, and the final ransomware deployment.

Implications for Cybersecurity

The scale of the botnet, with victims likely spread globally, underscores the persistent threat of ransomware operations. The discovery provides valuable intelligence for the cybersecurity community, offering indicators of compromise that organizations can use to search for infections within their own networks.

Defending against such threats requires a layered security approach. This includes monitoring for unusual outbound network connections, which may indicate a proxy tunnel, and employing endpoint detection tools that can identify the installation of tools like SystemBC. Network segmentation can also help limit lateral movement if an initial breach occurs.

Ongoing Investigation and Next Steps

Check Point’s research has been shared with relevant law enforcement and computer emergency response teams internationally. The takedown of the identified C2 server would disrupt the current operation, but threat actors often migrate to new infrastructure quickly.

Further analysis of the victim data may reveal patterns in targeting, potentially identifying specific industries or regions at higher risk. Security professionals anticipate continued monitoring of The Gentlemen operation and its associated tools, as affiliates are likely to adapt their methods in response to this disclosure.

Source: Check Point Research