South Africa
Image: A power line in Northern Cape, South Africa. Credit: LBM1948 via WikiMedia Commons

Southern African power generator targeted with DroxiDat malware

Researchers have uncovered a suspected cyberattack targeting a power generator in southern Africa with a new variant of the SystemBC malware.

The attack was carried out by an unknown hacker group in March of this year, according to a report by cybersecurity firm Kaspersky.

The hackers used a Cobalt Strike tool and DroxiDat — a new variant of the SystemBC payload — to profile compromised systems and establish remote connections on the electric utility. No ransomware was delivered to the organization, however.

The SystemBC payload is a “changing, malicious backdoor, often used as a part of ransomware incidents,” according to Kaspersky. It has been offered for sale on various darknet forums since at least 2018 as a “malware as a service.”

The malware’s new variant allows attackers to work on many targets simultaneously using automated tasks. If they get the right credentials, they can deploy ransomware using built-in Windows tools without needing to manually control the process.

This DroxiDat variant is compact compared to previous SystemBC variants. It can retrieve an active machine name and username, as well as IP address information. Then it encrypts this data and sends it to the hackers’ communication and control system.

The researchers also discovered the Cobalt Strike beacons — used to remotely control compromised devices — on the same day and in the same system as DroxiDat.

The attack wasn't attributed to any specific group, but Kaspersky said it was likely linked to Russian-speaking cybercriminals.

One hacker group, Pistachio Tempest or FIN12, frequently deployed SystemBC alongside Cobalt Strike to target the healthcare industry in 2022.

Clarification: An earlier version of this story attributed the research to Securelist, a blog where Kaspersky posts public research.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.