Droxidat

Malware updated 4 months ago (2024-05-04T18:29:25.096Z)

Download STIX

Preview STIX

DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility company in southern Africa. Researchers from Kaspersky's Global Research and Analysis Team (GReAT) identified an unknown threat actor behind these attacks. This particular DroxiDat variant is more compact compared to previous SystemBC variants, displaying its adaptability to attackers' needs. The incident appears to be part of a broader wave of attacks involving both DroxiDat and Cobalt Strike beacons, tools used to remotely control compromised devices. These were found in the same systems as DroxiDat, pointing towards a coordinated attack strategy. The researchers also observed that the hackers used the Cobalt Strike tool along with DroxiDat to profile compromised systems and establish remote connections on the electric utility. Interestingly, several incidents involving Cobalt Strike shared the same license ID, staging directories, and/or C2. Given the nature of the malware and the pattern of the attacks, it is believed that this could have been the initial stage of a ransomware attack. In a similar healthcare-related incident around the same time, Nokoyawa ransomware was delivered alongside DroxiDat. As such, there is a significant concern that this wave of attacks using DroxiDat might escalate into more severe cybersecurity threats, including potential data breaches and ransom demands.

Description last updated: 2024-05-04T17:07:38.542Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Systembc	4	SystemBC is a type of malware, or malicious software, that has been heavily utilized in cyber-attacks and data breaches. Throughout 2023, it was frequently used in conjunction with other malware like Quicksand and BlackBasta by cybercriminals to exploit vulnerabilities in computer systems. Play rans

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Payload

Proxy

Malware

Cobalt Strike

Bot

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Nokoyawa	is related to	3	Nokoyawa is a notorious malware, particularly known for its ransomware capabilities. It has been associated with various other malicious software including Quantum, Royal, BlackBasta, Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Cany
Cobaltstrike	Unspecified	2	CobaltStrike is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It can gain access via suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data for ransom. CobaltStrike has been observed in conjunct

Source Document References

Information about the Droxidat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	9 months ago	Kaspersky malware report for Q3 2023
CERT-EU	10 months ago	SystemBC, a SWISS KNIFE Proxy Malware, Used by Numerous Ransomware Groups
Securelist	a year ago	Updated MATA attacks industrial companies in Eastern Europe
CERT-EU	a year ago	Southern African power generator targeted with DroxiDat malware \| #daitngscams \| #lovescams \| #datingscams \| #love \| #relationships \| #scams \| #pof \| #match.com \| #dating \| National Cyber Security Consulting
Securityaffairs	a year ago	Power Generator in South Africa hit with DroxiDat and Cobalt Strike
InfoSecurity-magazine	a year ago	DroxiDat-Cobalt Strike Duo Targets Power Generator Network
CERT-EU	a year ago	Focus on DroxiDat/SystemBC – GIXtools
CERT-EU	a year ago	Focus on DroxiDat/SystemBC