DroxiDat Malware

An unidentified fraud-related actor has been associated with a cyber attack on a power generation company located in southern Africa. The attack utilized a novel malware threat tracked as DroxiDat. The malware is confirmed to be a newer iteration of previously discovered SystemBC and is presumably deployed as a preliminary step for an anticipated ransomware attack.

The deployment of DroxiDat, a backdoor equipped with proxy capabilities, occurred concurrently with the utilization of Cobalt Strike Beacons within the vital infrastructure. Researchers have determined that this incident transpired in late March 2023. During this time, it is believed that the attack operation was in its early phases, focusing on system profiling and the establishment of a proxy network utilizing the SOCKS5 protocol to facilitate communication with the Command-and-Control (C2) infrastructure.

The Creators of DroxiDat Used the SystemBC Malware as a Basis

SystemBC is a commodity malware and remote administrative tool coded in C/C++. The threat initially surfaced back in 2019. Its primary function involves establishing SOCKS5 proxies on compromised machines. These proxies serve as conduits for bogus traffic linked to other forms of malware. Recent iterations of this particular malware have expanded capabilities, enabling the retrieval and execution of additional threat payloads.

The historical deployment of SystemBC as a conduit for ransomware attacks has been well-documented. In December 2020, researchers unveiled instances of ransomware operators resorting to the SystemBC as a readily available Tor-based backdoor for implementing Ryuk and Egregor Ransomware infections.

SystemBC's appeal lies in its effectiveness within such operations, allowing for simultaneous engagement with multiple targets through automated procedures. This, in turn, facilitates the deployment of ransomware via native Windows tools, should the attackers manage to obtain the appropriate credentials.

DroxiDat May Be Used as a Precursor of Ransomware Attacks

DroxiDat's connections to ransomware deployment originate from a healthcare-related occurrence in which DroxiDat was involved. This event unfolded during a similar timeframe in which the Nokoyawa Ransomware is believed to have been distributed in conjunction with Cobalt Strike.

The malware utilized in this assault possesses a streamlined and efficient nature in contrast to the original SystemBC. Its developers have stripped its functionality down, shedding most of the features found in SystemBC, to specialize its function as a basic system profiler. Its role involves extracting information and transmitting it to a remote server.

As a result, DroxiDat lacks the capability to download and execute additional malware payloads. However, it can establish links with remote listeners, facilitating bidirectional data transfer, and is capable of manipulating the system registry of the infected device.

The identification of the threat actors responsible for the attacks remains unknown. Nonetheless, existing indications strongly suggest the potential involvement of Russian hacker groups, particularly FIN12 (also known as Pistachio Tempest). This group is known for deploying SystemBC alongside Cobalt Strike Beacons as part of their strategy for delivering ransomware.