HQ/EMEAFind out how we can help your business
Unidentified threat actors allegedly use a new SystemBC malware variant to attack power generation companies in southern African nations. Researchers believe the new variant, DroxiDat, is for ransomware purposes.
The researchers discovered the attack last March after identifying it in its early attack stages. It involved the DroxiDat profiling the system and proxy network traffic through the SOCKS5 protocol to and from C2 servers.
The SystemBC malware is a remote admin tool.
The SystemBC malware variant written in C/C++ acts as a remote administrative tool. Threat analysts explained that the primary objective of the malware is to establish the SOCKS5 proxies on targeted devices that could tunnel malicious traffic linked with other malware. In addition, some of its latest variants could also download and execute additional payloads.
The threat actors’ leveraging of SystemBC as a vector for ransomware campaigns is a familiar trait for researchers. A few years ago, a ransomware operation relied on the SystemBC RAT as an off-the-shelf Tor backdoor for Egregor and Ryuk.
The SystemBC malware became an attractive tool for hackers since it provides multitasking abilities that could target multiple companies simultaneously. Hence, threat actors could execute other tasks remotely while focusing on a prioritised target that could allow them to gain more profit without sacrificing other targets.
The new malware’s participation in ransomware deployment came from a healthcare-related threat campaign that allowed the Nokoyawa ransomware operators to breach systems with Cobalt Strike.
Furthermore, the new malware’s behaviour is compact and lean compared to the old SystemBC variant since the latter version is only a simple system profiler that exfiltrates stolen information to an attacker-controlled server.
The researchers stated that the new variant enables its operators to connect with remote listeners, transfer data back and forth, and alter the system registry.
Investigators have yet to uncover the identity of the ransomware operators behind the new surge of malware campaigns. Still, existing proofs show that Russian ransomware actors, such as FIN12, are the front runners of being the culprit of these new cybercriminal campaigns.
