SystemBC malware is found being distributed via malicious email spam campaigns. Attached in the emails are Excel spreadsheets with a malicious macro, using an updated GlobalSign template. This Excel spreadsheet pushed what appears to be SystemBC RAT malware. Cobalt Strike was also detected as a follow-up activity from this infection.
The malspam delivers excel spreadsheets that require the victim to enable content, as shown below.
Enabling macros on a vulnerable Windows host caused HTTPS traffic to grab a Windows executable (EXE) file for SystemBC malware. The first post-infection traffic caused by SystemBC was TCP traffic to 109.234.39[.]169 over port 4001. Moreover, Cobalt Strike doesn’t appear unless the infected host is running in an AD environment.