Posted on August 12, 2023 at 4:29 PM
DroxiDat Malware Variant Targets South African Power Generating Firm
An unknown hacker group has been associated with a hacking campaign that targeted a power generation firm based in South Africa. The firm was targeted by a new variant of the SystemBC malware known as DroxiDat. Researchers said this malware variant was likely exploited to trigger a ransomware attack.
DroxiDat malware targets South African power generator
The hacking campaign in question was detected by researchers at the cybersecurity firm Kaspersky. They noted that the attack happened towards the end of March 2023 and was in the early stages. The campaign used the DroxiDat variant to profile the system and the proxy network traffic.
This campaign also relied on the SOCKS5 protocol to send traffic to and from the command-and-control (C2) infrastructure. The nature of this hacking campaign indicates points to sophisticated hackers that knew their way around the system and how it could be compromised using this malware.
The principal security researcher at the Kaspersky Global Research and Analysts Team (GReAT), Kurt Baumgartner, commented on this development saying that a proxy-capable backdoor was used alongside the Cobalt Strike Beacons. The hacking campaign appeared to target the critical infrastructure in South Africa.
The SystemBC malware uses the C/C++ programming language. It ranks as a commodity malware and remote administrative tool whose activity was first detected in 2019. The main feature of this malware is to create SOCKS5 proxies on the victim’s computers.
Hackers later use the SOCKS5 proxies to channel malicious traffic linked to other malware. The newer variants of this malware can also conduct additional functions, such as downloading and running more payloads.
Hackers used a SystemBC malware variant
The SystemBC malware has been detected in the past. The past campaigns conducted using the malware are usually ransomware attacks. One such attack happened in December 2020. At the time, a report by Sophos noted that ransomware hackers were using SystemBC RAT as an off-the-shelf Tor backdoor used to conduct Ryuk and Egregor infections.
The statement released by Sophos described SystemBC as a tool that can target multiple victims at the same time while conducting different functions. Sophos also said that the tool could also be used to run a ransomware campaign.
“SystemBC is an attractive tool in these types of operations because it allows for multiple targets to be worked at the same time with automated tasks, allowing for hands-off deployment of ransomware using Windows built-in tools if the attackers gain the proper credentials,” the company said.
The DroxiDat variant deploys when a ransomware campaign is also underway. A previous incident related to healthcare also saw attackers use the DroxiDat variant. The variant was used around the same time as the Nokoyawa ransomware.
The malware used in this hacking campaign is compact and does not take up much memory compared to SystemBC. However, it does not offer the same comprehensive functionality associated with SystemBC. The malware then operates as a simple system profiler tool that exfiltrates information stolen by a hacker to a remote server.
Kaspersky researcher Baumgartner noted that the malware offers no download and execute features. However, it is linked to remote listeners and later used to transmit data. The researcher also said that the malware could change the system registry.
The threat actors behind the hacking campaign on the South African power generator plant are yet to be determined. However, there is existing evidence indicating that Russian ransomware groups might have conducted the attack. The researchers point to the likelihood of FIN12 hackers, also known as Pistachio Tempest, being behind the attack as they have previously used SystemBC and Cobalt Strike Beacons for ransomware campaigns.
The report on this campaign comes when the number of ransomware attacks targeting industrial organizations and infrastructure has doubled since Q2 2022. These attacks have increased from 125 reported in Q2 2022 to 253 reported in Q2 2023. The number of ransomware attacks in Q2 2023 was also 18% higher than in Q1 2023.
Kaspersky noted that ransomware campaigns will continue targeting industrial operations. These attacks might disrupt these services in many ways, such as integrating operational technology kill processes within ransomware strains and flattened networks that allow ransomware to spread within OT environments.
It is advisable to take precautionary shutdown measures to prevent ransomware campaigns from spreading to industrial control systems. These measures will guarantee that user systems are kept safe from exploits.