image

Power supplier hit by malware

Cybersecurity researchers at Kaspersky Labs have discovered a cyberattack against a power-generating firm in the south of Africa. Reportedly, the firm was targeted with a new variant of the SystemBC malware and a yet unidentified hacking group carried out the attack.

It is worth noting that a variant of SystemBC was also identified in the 2021 cyber attack against Colonial Pipeline, a major American oil pipeline system. In the recent attack, however, attackers deployed the proxy-capable backdoor with CobaltStrike beacons.

According to the Kaspersky Labs blog post, the new SystemBC malware variant is dubbed DroxiDat. Attackers used these tools to compromise systems and remotely access the electricity generator. However, researchers speculated that it could be the “initiate stage of a ransomware attack” that took place in the third or fourth week of March 2023.

For your information, SystemBC payload is a “changing, malicious” malware-as-a-service backdoor available on darknet forums since 2018. It is a C/C++-based commodity malware first observed in 2019.

“This platform is made up of three separate parts: on the server side, a C2 web server with admin panel and a C2 proxy listener; on the target side is a backdoor payload,” Securelist’s report revealed.

Compared to previously detected SystemBC variants that were around 15-30kb+, DroxiDot is a compact, 8kb variant that serves as a system profiler, and its main job is to set up SOCKS5 proxies on target computers so that attackers can tunnel malicious traffic.

The malware can also retrieve usernames, IP addresses, and machine names from an active device, encrypts the data, and transfers it to the attacker’s C2 server. This variant doesn’t feature many of SystemBC’s functionalities and acts as a system profiler to exfiltrate information to a remote server.

However, it doesn’t feature download or executing capabilities and can only connect with “remote listeners, pass data back and forth, and modify the system registry.”

This variant, however, allows attackers to simultaneously target multiple devices through automating tasks. If the credentials are legit, they can even deploy ransomware using built-in Windows tools without manually controlling the process.

 The attacker’s C2 infrastructure involved an energy-oriented domain “powersupportplancom,” which resolved to a suspicious IP host. Researchers believe this host was previously used in an APT activity to improve the attack’s potential.

Furthermore, researchers discovered that DroxiDot was used in another healthcare-related incident during the same time when it delivered Nokoyawa ransomware.

Regarding the attackers, researchers claim that evidence suggests the involvement of a Russian ransomware group, probably FIN12 (also known as Pistachio Tempest). This group is known for deploying SystemBC with Cobalt Strike Beacons to launch ransomware attacks against healthcare facilities in 2022.