U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Power Generator in South Africa hit with DroxiDat and Cobalt Strike

Threat actors employed a new variant of the SystemBC malware, named DroxiDat, in attacks aimed at African critical infrastructure. Researchers from Kaspersky’s Global Research and Analysis Team (GReAT) reported that an unknown threat actor used a new variant of the SystemBC proxy malware, named DroxiDat, in an attack against a power generation company in southern Africa. SystemBC was […]

RAT

Threat actors employed a new variant of the SystemBC malware, named DroxiDat, in attacks aimed at African critical infrastructure.

Researchers from Kaspersky’s Global Research and Analysis Team (GReAT) reported that an unknown threat actor used a new variant of the SystemBC proxy malware, named DroxiDat, in an attack against a power generation company in southern Africa.

SystemBC was discovered by experts at Proofpoint in Augut 2019, it is being distributed via exploit kits like Fallout and RIG. The malware was tracked as “SystemBC” based on the URI path shown in the advertisement’s panel screenshots. The malware hides malicious network traffic using SOCKS5 proxies that are set up on compromised PC.

The SystemBC platform has been offered for sale on various underground forums at least since 2018 as a “malware as a service,” or MaaS.

In the attack discovered by Kaspersky, the proxy backdoor was deployed alongside Cobalt Strike beacons, the researchers believe that this incident was in the initial stages of a ransomware attack.

The attack occurred in mid-March 2023, the researchers observed a small wave of attacks involving the DroxiDat. The malware is 8kb in size and was used as a system profiler and a simple SOCKS5-capable bot.

Unlike previous variants, this Windows variant missed the following capabilities:

  • File creation capability.
  • File-execution switch statement, parsing for hardcoded file extensions (vbs, cmd, bat, exe, ps1) and code execution functionality.
  • Mini-TOR client capabilities.
  • Emisoft anti-malware scan.

The researchers noticed that C2 infrastructure used in this attack involved an energy-related domain “powersupportplan[.]com.” The domain resolved to an already suspicious IP host that was previously used several years prior as a part of an APT activity, a circumstance that suggests that the incident was the result of an attack from a nation-state actor.

“Also interesting, within this power generator network, DroxiDat/systemBC was detected exclusively on system assets similar to past DarkSide targets. And, a Darkside affiliate hit Electrobras and Copel energy companies in Brazil in 2021.” reads the report published by

Data collected related to multiple incidents analyzed by Kaspersky suggest the attack was conducted by the Russian-speaking RaaS cybercrime Pistachio Tempest or FIN12. The group focuses on healthcare industry and frequently used SystemBC alongside CS Beacon to deploy ransomware.

Kaspersky published Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DroxiDat)