The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

DroxiDat Targets African Power Company

Aug 18, 2023 2:54:28 PM / by The Hivemind

DROXIDATRelated Families: SystemBC
Verticals Targeted: Energy

Executive Summary

An African energy sector entity was recently targeted using DroxiDat, a variant of SystemBC.

Key Takeaways

  • DroxiDat was recently used to target an energy sector entity in Africa.
  • DroxiDat is a more compact variant of SystemBC, with some of the previous functionality stripped away.
  • The threat actors responsible for the attack also used Cobalt Strike beacons in conjunction with DroxiDat, indicating a high likelihood of planned follow-on attacks. 
  • This attack has been tentatively attributed to the Fin12 threat actor group.

What is DroxiDat?

An African power company was recently targeted using DroxiDat, a variant of SystemBC. Secure List recently reported on DroxiDat.

SystemBC, active since at least 2018, is both a proxy and a RAT. It leverages SOCKS5. It is best known for being used in the DarkSide ransomware attack on Colonial Pipeline in 2021. SystemBC has been known to distribute other payloads, including Smokeloader and Emotet.

DroxiDat is more compact than previous SystemBC variants, as much of the functionality has been stripped. DroxiDat does not have the download and execute capabilities of previous SystemBC variants. The changes make DroxiDat more of a system profiler. The threat actors also used Cobalt Strike beacons in conjunction with DroxiDat in the attack, indicating a high likelihood of planned follow-on attacks. 

Who is Fin12?

Secure List tentatively points to Fin12 as the possible threat actor behind these attacks. Fin12, also known as Pistachio Tempest, typically targets healthcare entities rather than energy sector entities. However, they have been observed deploying SystemBC in conjunction with Cobalt Strike beacons.

Fin12 has been active since at least 2018 and is known to be financially motivated. Industry researchers believe group members primarily speak Russian, although the group’s nexus is unknown. They typically only target entities with a high stream of revenue. Their TTPs include but are not limited to the use of code-signed payloads, Ryuk, Trickbot, BazarLoader, Empire, and Cobalt Strike. While healthcare entities are their most frequent targets, Fin12 has also been observed targeting the education, manufacturing, technology, and financial verticals. 

IOCs

PolySwarm has a sample of DroxiDat.

 

a00ca18431363b32ca20bf2da33a2e2704ca40b0c56064656432afd18a62824e

 

You can use the following CLI command to search for all DroxiDat samples in our portal:

$ polyswarm link list -f DroxiDat

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 

Topics: Threat Bulletin, Critical Infrastructure, Energy, DroxiDat, Pistachio Tempest, SystemBC, Fin12

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts