Threat Research

Focus on DroxiDat/SystemBC

Securonix

DroxiDat is a compact variant of the SystemBC backdoor used with Cobalt Strike beacons against a southern African electric utility, illustrating how MaaS-style toolsets enable stealthy reconnaissance and potential ransomware deployment. The report links this activity to broader trends of targeted utilities, healthcare incidents, and overlapping use of SystemBC with Cobalt Strike, with attribution discussions pointing to Russian-speaking RaaS groups such as Pistachio Tempest or FIN12. #DroxiDat #SystemBC #CobaltStrike #PistachioTempest #FIN12 #Nokoyawa #Electrobras #Copel #SouthAfrica

Keypoints

  • DroxiDat is a lean ~8KB variant of SystemBC acting as a system profiler and a SOCKS5-capable bot.
  • Deployed alongside Cobalt Strike beacons against a southern Africa electric utility in March 2023 as part of a small wave of DroxiDat and CS beacon activity.
  • The C2 infrastructure involved domains and IPs such as powersupportplan[.]com and 93.115.25.41:443, with related domains like epowersoftware[.]com and a suspicious hosting pattern.
  • DroxiDat’s capabilities include system information collection, registry modification, and XOR-encoded C2 settings, but it lacks file creation/execution features in this variant.
  • Two DroxiDat artifacts appeared in C:perflogs (one as a DLL) alongside Cobalt Strike beacons; the same global infrastructure showed links to DarkSide-era activity.
  • Attribution discussions point to Russian-speaking RaaS groups (Pistachio Tempest or FIN12) with prior healthcare-focused deployments and shared tool usage, though attribution remains low-confidence.

MITRE Techniques

  • [T1059.001] PowerShell – Used to execute hidden commands, e.g., “powershell.exe -windowstyle hidden -Command “c:perflogshos.exe””.
    [“powershell.exe -windowstyle hidden -Command “c:perflogshos.exe””]
  • [T1090] Proxy – DroxiDat functions as a SOCKS5-capable backdoor that can connect with remote listeners and pass data back to a C2.
    [“It can connect with remote listeners and pass data back and forth”]
  • [T1082] System Information Discovery – Retrieves machine name/username, local IP and volume serial information.
    [“Retrieves active machine name/username, local IP and volume serial information.”]
  • [T1112] Modify Registry – May create and delete registry keys and values.
    [“May create and delete registry keys and values.”]
  • [T1027] Obfuscated/Compressed Files and Information – XOR-encoded configuration and C2 settings.
    [“xor decrypts its C2 (IP:port) settings”]
  • [T1071.001] Web Protocols – C2 infrastructure uses domain-powersupportplan[.]com and related IPs; data exchange occurs over a network protocol to reach the C2.
    [“C2 infrastructure for this electric utility incident involved an energy-related domain “powersupportplan[.]com” that resolved to an already suspicious IP host.”]

Indicators of Compromise

  • [Domain] powersupportplan[.]com – domain used for C2 communication.
  • [Domain] epowersoftware[.]com – domain appearing in related beacons; potentially spoofed power-utility theme.
  • [IP Address] 93.115.25.41 – C2 destination for the DroxiDat configuration.
  • [IP Address] 179.60.146.6 – Related CS beacon infrastructure; part of power-utility themed C2 cluster.
  • [File hash] DroxiDat MD5: 8d582a14279920af10d37eae3ff2b705, DroxiDat SHA1: f98b32755cbfa063a868c64bd761486f7d5240cc
  • [File hash] DroxiDat SHA256: a00ca18431363b32ca20bf2da33a2e2704ca40b0c56064656432afd18a62824e
  • [File hash] Cobalt Strike beacon (example): 19567b140ae6f266bac6d1ba70459fbd, fd9016c64aea037465ce045d998c1eead3971d35
  • [File path] C:perflogssyscheck.exe, C:perflogs svch.dll
  • [File path] C:perflogsa.dll, C:perflogsadminsvcpost.dll

Read more: https://securelist.com/focus-on-droxidat-systembc/110302/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint