A new variant of SystemBC malware was found to be deployed to a critical infrastructure target. This malware was responsible for the DarkSide Colonial Pipeline Incident in 2021. There have been several Ransomware attacks during the second quarter of 2023.
Threat actors target several organizations and infrastructures with ransomware attacks. But only a few ransomware attacks were targeting electric utilities.
More than 56% of the targets reported that they faced a loss of private information or an outage in their Operational Technology (OT) Environment.
In addition to this, recent reports indicate that a south african electric utility infrastructure was targeted with Cobalt Strike Beacon and DroxiDat, which was discovered to be the new variant of SystemBC payload.
This incident was found to be targeted during the third and fourth week of March 2023 and was part of a small wave attack across the world.FREE Webinar
API Security Fundamentals: How to Discover, Scan and Protect APIs
API Attacks Have Increased by 400% – Understand the Fundamentals of Protecting Your APIs with a Positive Security Model – Register Now for a Free WebinarRegister Now
Technical Details
The current variant of SystemBC has a proxy-capable backdoor and changes maliciously. System BC has been available since 2018 which acts as “Malware as a service” (MaaS) and is sold on various underground forums.
SystemBC has three parts: a C2 web server with an admin panel, a C2 proxy listener on the server side, and a backdoor payload on the target.
DroxiDat acts as the payload component of SystemBC and previously had a size of 15-30kb+ which is now compacted to ~8kb.
DroxiDat does not act as a download and execute type payload as in the previous versions but can connect to remote listeners to pass the data between the C2 and the target and change the system registry.
There were two instances of DroxiDat found at C:\perflogs alongside the CrowdStrike Beacon on multiple systems.
The current variant of SystemBC has many important capabilities like Retrieving machine names or usernames, session creation with C2 by decrypting the settings, encrypted communication with C2, and creating or deleting registry keys.
It is highly suspected that this was done by a Russian-speaking RaaS cybercrime unit. Expected threat actors also include Pistachio Tempest or FIN12. A complete report has been published by Securelist, which provides detailed information about the current variant of SystemBC and its activities.
Indicators of Compromise
Domains and IP93.115.25.41
powersupportplan[.]com, 179.60.146.6
Likely relatedepowersoftware[.]com, 194.165.16.63
File hashDroxidat
8d582a14279920af10d37eae3ff2b705
f98b32755cbfa063a868c64bd761486f7d5240cc
a00ca18431363b32ca20bf2da33a2e2704ca40b0c56064656432afd18a62824e
CobaltStrike beacon19567b140ae6f266bac6d1ba70459fbd
fd9016c64aea037465ce045d998c1eead3971d35
a002668f47ff6eb7dd1b327a23bafc3a04bf5208f71610960366dfc28e280fe4
File paths, related objectsC:\perflogs\syscheck.exe
C:\perflogs\a.dll
C:\perflogs\hos.exe
C:\perflogs\host.exe
C:\perflogs\hostt.exe
C:\perflogs\svch.dll
C:\perflogs\svchoct.dll
C:\perflogs\admin\svcpost.dll
C:\perflogs\admin\syscheck.exe
C:\perflogs\sk64.dll
C:\perflogs\clinic.exe
Source: https://cybersecuritynews.com/power-generator-systems-ransomware/
