Power Generator in South Africa hit with DroxiDat and Cobalt Strike

Pierluigi Paganini August 12, 2023

Threat actors employed a new variant of the SystemBC malware, named DroxiDat, in attacks aimed at African critical infrastructure.

Researchers from Kaspersky’s Global Research and Analysis Team (GReAT) reported that an unknown threat actor used a new variant of the SystemBC proxy malware, named DroxiDat, in an attack against a power generation company in southern Africa.

SystemBC was discovered by experts at Proofpoint in Augut 2019, it is being distributed via exploit kits like Fallout and RIG. The malware was tracked as “SystemBC” based on the URI path shown in the advertisement’s panel screenshots. The malware hides malicious network traffic using SOCKS5 proxies that are set up on compromised PC.

The SystemBC platform has been offered for sale on various underground forums at least since 2018 as a “malware as a service,” or MaaS.

In the attack discovered by Kaspersky, the proxy backdoor was deployed alongside Cobalt Strike beacons, the researchers believe that this incident was in the initial stages of a ransomware attack.

The attack occurred in mid-March 2023, the researchers observed a small wave of attacks involving the DroxiDat. The malware is 8kb in size and was used as a system profiler and a simple SOCKS5-capable bot.

Unlike previous variants, this Windows variant missed the following capabilities:

  • File creation capability.
  • File-execution switch statement, parsing for hardcoded file extensions (vbs, cmd, bat, exe, ps1) and code execution functionality.
  • Mini-TOR client capabilities.
  • Emisoft anti-malware scan.

The researchers noticed that C2 infrastructure used in this attack involved an energy-related domain “powersupportplan[.]com.” The domain resolved to an already suspicious IP host that was previously used several years prior as a part of an APT activity, a circumstance that suggests that the incident was the result of an attack from a nation-state actor.

“Also interesting, within this power generator network, DroxiDat/systemBC was detected exclusively on system assets similar to past DarkSide targets. And, a Darkside affiliate hit Electrobras and Copel energy companies in Brazil in 2021.” reads the report published by

Data collected related to multiple incidents analyzed by Kaspersky suggest the attack was conducted by the Russian-speaking RaaS cybercrime Pistachio Tempest or FIN12. The group focuses on healthcare industry and frequently used SystemBC alongside CS Beacon to deploy ransomware.

Kaspersky published Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DroxiDat)



you might also like

leave a comment