Droxidat

Malware updated 7 months ago (2024-05-04T18:29:25.096Z)
Download STIX
Preview STIX
DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility company in southern Africa. Researchers from Kaspersky's Global Research and Analysis Team (GReAT) identified an unknown threat actor behind these attacks. This particular DroxiDat variant is more compact compared to previous SystemBC variants, displaying its adaptability to attackers' needs. The incident appears to be part of a broader wave of attacks involving both DroxiDat and Cobalt Strike beacons, tools used to remotely control compromised devices. These were found in the same systems as DroxiDat, pointing towards a coordinated attack strategy. The researchers also observed that the hackers used the Cobalt Strike tool along with DroxiDat to profile compromised systems and establish remote connections on the electric utility. Interestingly, several incidents involving Cobalt Strike shared the same license ID, staging directories, and/or C2. Given the nature of the malware and the pattern of the attacks, it is believed that this could have been the initial stage of a ransomware attack. In a similar healthcare-related incident around the same time, Nokoyawa ransomware was delivered alongside DroxiDat. As such, there is a significant concern that this wave of attacks using DroxiDat might escalate into more severe cybersecurity threats, including potential data breaches and ransom demands.
Description last updated: 2024-05-04T17:07:38.542Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Systembc is a possible alias for Droxidat. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage f
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Payload
Proxy
Malware
Cobalt Strike
Bot
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Nokoyawa Malware is associated with Droxidat. Nokoyawa is a prominent malware, specifically ransomware, that has been linked to numerous cybercrime activities since it first emerged in 2022. It has been associated with various other malware families including Quantum, Royal, BlackBasta, and a variety of others such as Emotet, IcedID, CobaltStriis related to
3
The Cobaltstrike Malware is associated with Droxidat. CobaltStrike is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It can gain access via suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data for ransom. CobaltStrike has been observed in conjunctUnspecified
2
Source Document References
Information about the Droxidat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more