Aug 12, 2023, 04:35 PM
An unknown threat actor has been linked to a cyber attack on a power generation company in southern Africa with a new variant of the SystemBC malware called DroxiDat as a precursor to a suspected ransomware attack.
"The proxy-capable backdoor was deployed alongside Cobalt Strike Beacons in a south African nation's critical infrastructure," Kurt Baumgartner, principal security researcher at Kaspersky's Global Research and Analysis Team (GReAT), said.
The Russian cybersecurity company said the attack, which took place in late March 2023, was in its early stages and involved the use of DroxiDat to profile the system and proxy network traffic using the SOCKS5 protocol to and from command-and-control (C2) infrastructure.
SystemBC is a C/C++-based commodity malware and remote administrative tool that was first seen in 2019. Its main feature is to set up SOCKS5 proxies on victim computers that can then be used by threat actors to tunnel malicious traffic associated with other malware. Newer variants of the malware can also download and run additional payloads.
The use of SystemBC as a conduit for ransomware attacks has been documented in the past. In December 2020, Sophos revealed ransomware operators' reliance on SystemBC RAT as an off-the-shelf Tor backdoor for Ryuk and Egregor infections.
"SystemBC is an attractive tool in these types of operations because it allows for multiple targets to be worked at the same time with automated tasks, allowing for hands-off deployment of ransomware using Windows built-in tools if the attackers gain the proper credentials," the company said at the time.
DroxiDat's links to ransomware deployment stem from a healthcare-related incident involving DroxiDat around the same timeframe in which the Nokoyawa ransomware is said to have been delivered alongside Cobalt Strike.
The malware employed in the attack is both compact and lean when compared to SystemBC, stripped off most of the functionality associated with the latter to act as a simple system profiler and exfiltrate the information to a remote server.
"The proxy-capable backdoor was deployed alongside Cobalt Strike Beacons in a south African nation's critical infrastructure," Kurt Baumgartner, principal security researcher at Kaspersky's Global Research and Analysis Team (GReAT), said.
The Russian cybersecurity company said the attack, which took place in late March 2023, was in its early stages and involved the use of DroxiDat to profile the system and proxy network traffic using the SOCKS5 protocol to and from command-and-control (C2) infrastructure.
SystemBC is a C/C++-based commodity malware and remote administrative tool that was first seen in 2019. Its main feature is to set up SOCKS5 proxies on victim computers that can then be used by threat actors to tunnel malicious traffic associated with other malware. Newer variants of the malware can also download and run additional payloads.
The use of SystemBC as a conduit for ransomware attacks has been documented in the past. In December 2020, Sophos revealed ransomware operators' reliance on SystemBC RAT as an off-the-shelf Tor backdoor for Ryuk and Egregor infections.
"SystemBC is an attractive tool in these types of operations because it allows for multiple targets to be worked at the same time with automated tasks, allowing for hands-off deployment of ransomware using Windows built-in tools if the attackers gain the proper credentials," the company said at the time.
DroxiDat's links to ransomware deployment stem from a healthcare-related incident involving DroxiDat around the same timeframe in which the Nokoyawa ransomware is said to have been delivered alongside Cobalt Strike.
The malware employed in the attack is both compact and lean when compared to SystemBC, stripped off most of the functionality associated with the latter to act as a simple system profiler and exfiltrate the information to a remote server.