Related Families: SystemBC
Verticals Targeted: Energy
Executive Summary
An African energy sector entity was recently targeted using DroxiDat, a variant of SystemBC.
Key Takeaways
- DroxiDat was recently used to target an energy sector entity in Africa.
- DroxiDat is a more compact variant of SystemBC, with some of the previous functionality stripped away.
- The threat actors responsible for the attack also used Cobalt Strike beacons in conjunction with DroxiDat, indicating a high likelihood of planned follow-on attacks.
- This attack has been tentatively attributed to the Fin12 threat actor group.
What is DroxiDat?
An African power company was recently targeted using DroxiDat, a variant of SystemBC. Secure List recently reported on DroxiDat.
SystemBC, active since at least 2018, is both a proxy and a RAT. It leverages SOCKS5. It is best known for being used in the DarkSide ransomware attack on Colonial Pipeline in 2021. SystemBC has been known to distribute other payloads, including Smokeloader and Emotet.
DroxiDat is more compact than previous SystemBC variants, as much of the functionality has been stripped. DroxiDat does not have the download and execute capabilities of previous SystemBC variants. The changes make DroxiDat more of a system profiler. The threat actors also used Cobalt Strike beacons in conjunction with DroxiDat in the attack, indicating a high likelihood of planned follow-on attacks.
Who is Fin12?
Secure List tentatively points to Fin12 as the possible threat actor behind these attacks. Fin12, also known as Pistachio Tempest, typically targets healthcare entities rather than energy sector entities. However, they have been observed deploying SystemBC in conjunction with Cobalt Strike beacons.
Fin12 has been active since at least 2018 and is known to be financially motivated. Industry researchers believe group members primarily speak Russian, although the group’s nexus is unknown. They typically only target entities with a high stream of revenue. Their TTPs include but are not limited to the use of code-signed payloads, Ryuk, Trickbot, BazarLoader, Empire, and Cobalt Strike. While healthcare entities are their most frequent targets, Fin12 has also been observed targeting the education, manufacturing, technology, and financial verticals.
IOCs
PolySwarm has a sample of DroxiDat.
a00ca18431363b32ca20bf2da33a2e2704ca40b0c56064656432afd18a62824e
You can use the following CLI command to search for all DroxiDat samples in our portal:
$ polyswarm link list -f DroxiDat
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports