- Cybersecurity researchers uncover cyberattack targeting South African power-generating firm.
- Attackers deploy new variant of SystemBC malware, named DroxiDot, with CobaltStrike beacons.
- Speculation that attack could be an initial stage of a ransomware attack, occurring in March 2023.
- DroxiDot variant is a compact 8kb payload, serves as a system profiler, and sets up SOCKS5 proxies on target computers.
- Attacker’s C2 infrastructure linked to energy-oriented domain potentially tied to Russian ransomware group FIN12.
Cybersecurity researchers at Securelist have discovered a cyberattack against a power-generating firm in South Africa. Reportedly, the firm was targeted with a new variant of the SystemBC malware and a yet unidentified hacking group carried out the attack.
It is worth noting that a variant of SystemBC was also identified in the 2021 cyber attack against Colonial Pipeline, a major American oil pipeline system. In the recent attack, however, attackers deployed the proxy-capable backdoor with CobaltStrike beacons.
According to Securelist, the new SystemBC malware variant is dubbed DroxiDat. Attackers used these tools to compromise systems and remotely access the electricity generator. However, researchers speculated that it could be the “initiate stage of a ransomware attack” that took place in the third or fourth week of March 2023.
For your information, SystemBC payload is a “changing, malicious” malware-as-a-service backdoor available on darknet forums since 2018. It is a C/C++-based commodity malware first observed in 2019.
“This platform is made up of three separate parts: on the server side, a C2 web server with admin panel and a C2 proxy listener; on the target side is a backdoor payload,” Securelist’s report revealed.
Compared to previously detected SystemBC variants that were around 15-30kb+, DroxiDot is a compact, 8kb variant that serves as a system profiler, and its main job is to set up SOCKS5 proxies on target computers so that attackers can tunnel malicious traffic.
The malware can also retrieve usernames, IP addresses, and machine names from an active device, encrypts the data, and transfers it to the attacker’s C2 server. This variant doesn’t feature many of SystemBC’s functionalities and acts as a system profiler to exfiltrate information to a remote server.
However, it doesn’t feature download or executing capabilities and can only connect with “remote listeners, pass data back and forth, and modify the system registry.”
This variant, however, allows attackers to simultaneously target multiple devices through automating tasks. If the credentials are legit, they can even deploy ransomware using built-in Windows tools without manually controlling the process.
The attacker’s C2 infrastructure involved an energy-oriented domain “powersupportplancom,” which resolved to a suspicious IP host. Researchers believe this host was previously used in an APT activity to improve the attack’s potential.
Furthermore, researchers discovered that DroxiDot was used in another healthcare-related incident during the same time when it delivered Nokoyawa ransomware.
Regarding the attackers, researchers claim that evidence suggests the involvement of a Russian ransomware group, probably FIN12 (also known as Pistachio Tempest). This group is known for deploying SystemBC with Cobalt Strike Beacons to launch ransomware attacks against healthcare facilities in 2022.
- Fake Tor Browser Installers Distributing Clipper Malware
- Big Head Ransomware Found in Fake Windows Updates
- SmugX: Chinese Hackers Targeting Embassies in Europe
- Hackers targeting embassies with trojanized TeamViewer
- Cyber-Partisans hit Belarus railroad system with ransomware
- New malware hides behind free VPN, pirated security software