Experts expect a larger attack that will reveal the reason for the introduction into African networks.
Unknown hackers carried out an attack on an energy company in South Africa, using the latest version of the Sysembc malware called DroxiDat. Kaspersky GReAT experts suggest that the hack may be a preparatory stage for an attack using a ransomware program.
According to Kaspersky GReAT experts, the attack that occurred at the end of March 2023 was at an early stage. As part of the attack, DroxiDat was used to analyze the system and proxy network traffic using the SOCKS5 protocol for Command and Control (Command and Control, C2).
SystemBC is a malware created in C / C++. SystemBC was first detected in 2019 and is used to install proxy servers on victims ' computers. Proxies allow hackers to mask their actions.
According to Kaspersky Lab, DroxiDat is linked to incidents in the healthcare sector where the Nokoyawa ransomware was used together with Cobalt Strike. The malware is much simpler than SystemBC – it can only collect information about the system and send data to a remote server, as well as change the registry. DroxiDat is not capable of installing additional payloads.
The Nokoyawa ransomware emerged in February 2022 as a strain capable of attacking Windows-based 64-bit systems in double-ransomware attacks, where attackers also steal confidential files from compromised networks and threaten to put them online unless a ransom is paid.
It is worth noting that SystemBC and Cobalt Strike have already been used together in attacks on medical and financial organizations in the United States, Great Britain and Australia. The subject of the threat demonstrated rapid behavior, quickly heading to the infected network and gaining elevated privileges in less than 4 hours.
Unknown hackers carried out an attack on an energy company in South Africa, using the latest version of the Sysembc malware called DroxiDat. Kaspersky GReAT experts suggest that the hack may be a preparatory stage for an attack using a ransomware program.
According to Kaspersky GReAT experts, the attack that occurred at the end of March 2023 was at an early stage. As part of the attack, DroxiDat was used to analyze the system and proxy network traffic using the SOCKS5 protocol for Command and Control (Command and Control, C2).
SystemBC is a malware created in C / C++. SystemBC was first detected in 2019 and is used to install proxy servers on victims ' computers. Proxies allow hackers to mask their actions.
According to Kaspersky Lab, DroxiDat is linked to incidents in the healthcare sector where the Nokoyawa ransomware was used together with Cobalt Strike. The malware is much simpler than SystemBC – it can only collect information about the system and send data to a remote server, as well as change the registry. DroxiDat is not capable of installing additional payloads.
The Nokoyawa ransomware emerged in February 2022 as a strain capable of attacking Windows-based 64-bit systems in double-ransomware attacks, where attackers also steal confidential files from compromised networks and threaten to put them online unless a ransom is paid.
It is worth noting that SystemBC and Cobalt Strike have already been used together in attacks on medical and financial organizations in the United States, Great Britain and Australia. The subject of the threat demonstrated rapid behavior, quickly heading to the infected network and gaining elevated privileges in less than 4 hours.
