DroxiDat-Cobalt Strike Duo Targets Power Generator Network

Written by

A new variant of the SystemBC malware, paired with Cobalt Strike beacons, has been identified in a recent cyber-attack targeting a critical infrastructure power generator in a southern African nation. 

Echoing the high-profile Darkside Colonial Pipeline breach of 2021, the incident occurred during the third and fourth weeks of March 2023, according to a new advisory by Kaspersky cybersecurity expert Kurt Baumgartner.

SystemBC, a proxy-capable backdoor, has been a recurring component of cybercrime malware sets for years. This new variant, dubbed DroxiDat, exhibited similarities to its predecessors while introducing some unique characteristics. 

The attack involved multiple instances of DroxiDat appearing alongside Cobalt Strike beacons in the power generator’s network. The attackers deployed the DroxiDat/SystemBC payload to collect valuable system information, utilizing a command-and-control (C2) infrastructure that connected to an energy-related domain. Notably, this domain had a history of suspicious activity, raising concerns of a potentially APT-related attack.

Read more on SystemBC: ModernLoader Delivers Stealers, Cryptominers and RATs Via Fake Amazon Gift Cards

Though the full extent of the attack remains unclear, the combination of DroxiDat/SystemBC and Cobalt Strike beacons suggests a possible ransomware threat. DroxiDat’s ability to profile compromised systems and establish remote connections makes it a valuable tool for cyber-criminals orchestrating ransomware campaigns. However, no ransomware payload was ultimately delivered to the targeted power generator.

“However, in a healthcare-related incident involving DroxiDat around the same timeframe, Nokoyawa ransomware was delivered, along with several other incidents involving CobaltStrike sharing the same license_id and staging directories and/or C2,” Baumgartner clarified.

While attribution of the attack remains a challenge, specific indicators point to the involvement of a Russian-speaking Ransomware-as-a-Service (RaaS) group, potentially the infamous FIN12 or Pistachio Tempest. These groups have been known to deploy SystemBC alongside Cobalt Strike beacons in previous healthcare-related incidents.

What’s hot on Infosecurity Magazine?