An unknown threat actor has been linked to a cyber attack on a power generation company in southern Africa with a new variant of the SystemBC malware called DroxiDat as a precursor to a suspected ransomware attack.
“The proxy-capable backdoor was deployed alongside Cobalt Strike Beacons in a south African nation’s critical infrastructure,” Kurt Baumgartner, principal security researcher at Kaspersky’s Global Research and Analysis Team (GReAT), said.
The Russian cybersecurity company said the attack, which took place in late March 2023, was in its early stages and involved the use of DroxiDat to profile the system and proxy network traffic using the SOCKS5 protocol to and from command-and-control (C2) infrastructure.
SystemBC is a C/C++-based commodity malware and remote administrative tool that was first seen in 2019. Its main feature is to set up SOCKS5 proxies on victim computers that can then be used by threat actors to tunnel malicious traffic associated with other malware. Newer variants of the malware can also download and run additional payloads.
The use of SystemBC as a conduit for ransomware attacks has been documented in the past. In December 2020, Sophos revealed ransomware operators’ reliance on SystemBC RAT as an off-the-shelf Tor backdoor for Ryuk and Egregor infections.
“SystemBC is an attractive tool in these types of operations because it allows for multiple targets to be worked at the same time with automated tasks, allowing for hands-off deployment of ransomware using Windows built-in tools if the attackers gain the proper credentials,” the company said at the time.
DroxiDat’s links to ransomware deployment stem from a healthcare-related incident involving DroxiDat around the same timeframe in which the Nokoyawa ransomware is said to have been delivered alongside Cobalt Strike.
The malware employed in the attack is both compact and lean when compared to SystemBC, stripped off most of the functionality associated with the latter to act as a simple system profiler and exfiltrate the information to a remote server.
“It provides no download-and-execute capabilities, but can connect with remote listeners and pass data back and forth, and modify the system registry,” Baumgartner said.
The identity of the threat actors behind the wave of attacks is currently unknown, although existing evidence points to the likely involvement of Russian ransomware groups, specifically FIN12 (aka Pistachio Tempest), which is known to deploy SystemBC alongside Cobalt Strike Beacons to deploy ransomware.
The development comes as the number of ransomware attacks targeting industrial organizations and infrastructure has doubled since the second quarter of 2022, jumping from 125 in Q2 2022 to 253 in Q2 2023, according to Dragos. The figure is also an 18% increase from the previous quarter, when 214 incidents were identified.
“Ransomware will continue to disrupt industrial operations, whether through the integration of operational technology (OT) kill processes into ransomware strains, flattened networks allowing ransomware to spread into OT environments, or precautionary shutdowns of production by operators to prevent ransomware from spreading to industrial control systems,” the company assessed with high confidence.