A group of utility workers repairing electric installations and solar panels beneath power lines.

SystemBC Malware Targets A South African Power Company

A new variant of the SystemBC malware has been discovered. This disclosure follows a recent cyberattack on the infrastructure of a South African power company. The attackers utilised Cobalt Strike Beacon and DroxiDat, showcasing a variation of the SystemBC malware.

This incident occurred around the end of March 2023, drawing comparisons to the well-known Darkside Colonial Pipeline breakage. Kurt Baumgartner, a cybersecurity analyst at Kaspersky, revealed this information in his most recent alert.

The Russian cybersecurity company said that the attack, which included the use of DroxiDat for system profiling, was still in its early stages. For managing bidirectional command-and-control (C2) infrastructure network traffic, this involved the use of the SOCKS5 protocol.

SystemBC is a common malware and remote administration tool developed in C/C++ that was first noticed in 2019. Its main purpose is to set up SOCKS5 proxies on infected machines, which malicious actors can then use to anonymously send malicious traffic associated with different malware outbreaks. This malware may retrieve and execute additional payloads in more recent versions.

Threat actors are employing ransomware attacks to target various infrastructures and organisations. Interestingly, these attacks have largely avoided energy utilities. However, over 56% of these targets have reported serious implications, such as the loss of personal data or disruptions to their operational technology (OT) environment.

Techniques used by SystemBC

A backdoor with proxy capabilities and malicious modifications are present in the most recent version of SystemBC. Since 2018, SystemBC has been available for use as malware as a service (MaaS), and it exchanges data on various darknet forums.

According to Kurt Baumgartner, lead security researcher of Kaspersky’s Global Research and Analysis Team (GReAT):

SystemBC is an attractive tool in these types of operations because it allows for multiple targets to be worked at the same time with automated tasks, allowing for hands-off deployment of ransomware using Windows built-in tools if the attackers gain the proper credentials.

The SystemBC variation using DroxiDat is more efficient than older versions. It has the capacity to collect information on the active machine’s name, username, and IP address. This information is then encrypted and sent to the hackers’ communication and control systems.

An administrative dashboard-equipped C2 web server, a server-side C2 proxy listener, and a backdoor payload installed on the target machine make up SystemBC’s three main parts. In its role as this payload, DroxiDat has decreased from its former size range of 15-30kb to just 8kb.

Unlike prior versions, DroxiDat links to remote listeners for data exchange between C2 and the targeted system. It also has the ability to alter the system registry.

The source of the threat actors behind the surge in attacks is currently unknown. However, the available evidence clearly suggests a possible connection with Russian ransomware groups, particularly FIN12 (also known as Pistachio Tempest). Experts discovered that this group employed SystemBC and Cobalt Strike Beacons to distribute ransomware.

Successful ransomware attacks are most-often preceded by phishing emails. Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts