Cybersecurity experts from Securelist have identified a cyberattack on a South African power-generating company. The attackers used a new variant of the SystemBC malware, named DroxiDot, combined with CobaltStrike beacons. This variant is notably distinct from the one involved in the 2021 cyberattack on the Colonial Pipeline in the US.
DroxiDot is described as a compact 8kb payload, functioning primarily as a system profiler. It establishes SOCKS5 proxies on compromised computers, enabling attackers to channel malicious traffic. The malware can extract usernames, IP addresses, and machine names, encrypt this data, and send it to the attacker’s command and control (C2) server. Unlike other SystemBC versions, DroxiDot lacks many functionalities, such as download or execution capabilities. Its primary role is to profile systems and send information to remote servers.
Interestingly, DroxiDot can target multiple devices simultaneously by automating tasks. If attackers have valid credentials, they can deploy ransomware using built-in Windows tools without manual intervention.
The attacker’s C2 infrastructure was linked to an energy-focused domain, “powersupportplancom”, which had connections to a suspicious IP host believed to have been used in advanced persistent threat (APT) activities. Additionally, DroxiDot was implicated in a healthcare-related incident where it delivered the Nokoyawa ransomware.
Evidence points towards the involvement of a Russian ransomware group, possibly FIN12, known for using SystemBC with Cobalt Strike Beacons in previous ransomware attacks on healthcare facilities in 2022.
Source: HackRead
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.