Southern African power generator targeted with DroxiDat malware

Researchers have uncovered a suspected cyberattack targeting a power generator in southern Africa with a new variant of the SystemBC malware.

The attack was carried out by an unknown hacker group in March of this year, according to a report by cybersecurity firm Kaspersky.

The hackers used a Cobalt Strike tool and DroxiDat — a new variant of the SystemBC payload — to profile compromised systems and establish remote connections on the electric utility. No ransomware was delivered to the organization, however.

The SystemBC payload is a “changing, malicious backdoor, often used as a part of ransomware incidents,” according to Kaspersky. It has been offered for sale on various darknet forums since at least 2018 as a “malware as a service.”

The malware’s new variant allows attackers to work on many targets simultaneously using automated tasks. If they get the right credentials, they can deploy ransomware using built-in Windows tools without needing to manually control the process.

This DroxiDat variant is compact compared to previous SystemBC variants. It can retrieve an active machine name and username, as well as IP address information. Then it encrypts this data and sends it to the hackers’ communication and control system.

The researchers also discovered the Cobalt Strike beacons — used to remotely control compromised devices — on the same day and in the same system as DroxiDat.

The attack wasn't attributed to any specific group, but Kaspersky said it was likely linked to Russian-speaking cybercriminals.

One hacker group, Pistachio Tempest or FIN12, frequently deployed SystemBC alongside Cobalt Strike to target the healthcare industry in 2022.

Clarification: An earlier version of this story attributed the research to Securelist, a blog where Kaspersky posts public research.