An unidentifiable threat actor has emerged in the realm of cybersecurity, orchestrating a targeted cyber attack on a power generation company in southern Africa. The assailant employed a novel iteration of the SystemBC malware, known as DroxiDat, which has raised suspicions of an imminent ransomware assault.
The attack occurred in late March 2023 and was characterized by the deployment of DroxiDat, working in tandem with Cobalt Strike Beacons, to infiltrate a critical infrastructure of a South African nation.
Kaspersky’s Global Research and Analysis Team (GReAT) shed light on the situation, indicating that the attack was in its preliminary stages and leveraged DroxiDat to profile the victim’s system and facilitate the proxying of network traffic through the SOCKS5 protocol to and from command-and-control (C2) infrastructure.
SystemBC, a C/C++-based malware and remote administrative tool, originated in 2019 and was primarily designed to set up SOCKS5 proxies on compromised systems, which can be utilized by threat actors for malicious traffic redirection. The malware’s recent variants also exhibit capabilities for downloading and executing additional payloads.
The multifaceted nature of SystemBC has previously been exploited as a conduit for ransomware operations, as demonstrated by its use in Ryuk and Egregor infections. DroxiDat, linked to a healthcare-related incident, found itself associated with ransomware deployment alongside Cobalt Strike in a similar timeframe. This emerging malware variant showcases a streamlined and compact design compared to SystemBC, serving as a proficient system profiler while exfiltrating gathered data to a remote server. The identity of the malevolent actors behind these attacks remains unknown, yet indications suggest the potential involvement of Russian ransomware groups like FIN12 (Pistachio Tempest), recognized for deploying SystemBC alongside Cobalt Strike to unleash ransomware campaigns.
Amid this evolving cyber threat landscape, industrial organizations have witnessed a surge in ransomware attacks targeting their critical infrastructures. According to Dragos, the number of such attacks doubled between the second quarter of 2022 and Q2 2023, rising from 125 incidents to 253.
This surge underscores the pressing need for bolstered cybersecurity measures to safeguard against ransomware-induced disruptions and protect industrial control systems.
