{ "id": "5a80c0bb-437e-465d-bb5e-caf816e8af57", "created_at": "2026-04-06T01:30:41.16261Z", "updated_at": "2026-04-10T13:12:55.929928Z", "deleted_at": null, "sha1_hash": "6793072ce60d6a42ab684b8769d7e9332580a022", "title": "Focus on DroxiDat/SystemBC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63864, "plain_text": "Focus on DroxiDat/SystemBC\r\nBy Kurt Baumgartner\r\nPublished: 2023-08-10 · Archived: 2026-04-06 01:26:07 UTC\r\nRecently we pushed a report to our customers about an interesting and common component of the cybercrime\r\nmalware set – SystemBC. And, in much the same vein as the 2021 Darkside Colonial Pipeline incident, we found\r\na new SystemBC variant deployed to a critical infrastructure target. This time, the proxy-capable backdoor was\r\ndeployed alongside Cobalt Strike beacons in a south African nation’s critical infrastructure.\r\nKim Zetter closely reviewed the preceding Colonial Pipeline incident in her BlackHat 2022 keynote “Pre-Stuxnet,\r\nPost-Stuxnet: Everything Has Changed, Nothing Has Changed”, calling it a “watershed moment”. We are now\r\nseeing targeting and tactical similarities elsewhere in the world.\r\nA lot of abstract content and interesting trend analysis has been published about industrial ransomware attacks\r\n“The second quarter of 2023 proved to be an exceptionally active period for ransomware groups, posing\r\nsignificant threats to industrial organizations and infrastructure”, but very little technical detail in the way of\r\nparticular electric utility ransomware incidents has been publicly reported. We know that surveyed utilities, on a\r\nglobal basis, are reporting more and more in the way of targeted activity and higher risk: “56% [of respondents]\r\nreport at least one attack involving a loss of private information or an outage in the OT environment in the past 12\r\nmonths”. While not all of the activity is attributed to ransomware actors, perhaps the relevant ransomware\r\nattackers are avoiding retaliation by strong government agencies and alliances, while continuing to act on a game\r\nplan that demonstrated previous successes. Regardless, this increased utilities targeting is a real world problem\r\nwith serious potential consequences, especially in areas where network outages may affect customers on a\r\ncountry-wide basis.\r\nNotably, an unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat,\r\na new variant of the SystemBC payload. We speculate that this incident was in the initial stages of a ransomware\r\nattack. This attack occurred in the third and fourth week of March 2023, as a part of a small wave of attacks\r\ninvolving both DroxiDat and CobaltStrike beacons across the world. DroxiDat, a lean ~8kb variant of SystemBC\r\nserving as a system profiler and simple SOCKS5-capable bot, was detected in the electric utility. The C2\r\ninfrastructure for this electric utility incident involved an energy-related domain “powersupportplan[.]com” that\r\nresolved to an already suspicious IP host. This host was previously used several years prior as a part of an APT\r\nactivity, raising the potential for an APT-related targeted attack. While our interest was piqued, a link to that\r\nprevious APT was never established, and was likely unrelated. Ransomware was not delivered to the organization,\r\nand we do not have enough information to precisely attribute this activity. However, in a healthcare related\r\nincident involving DroxiDat around the same timeframe, Nokoyawa ransomware was delivered, along with\r\nseveral other incidents involving CobaltStrike sharing the same license_id and staging directories, and/or C2.\r\nDroxiDat/SystemBC Technical Details\r\nhttps://securelist.com/focus-on-droxidat-systembc/110302/\r\nPage 1 of 5\n\nThe DroxiDat/SystemBC payload component is interesting in its own right as a changing, malicious backdoor,\r\noften used as a part of ransomware incidents. Multiple “types” of SystemBC have been publicly catalogued. The\r\nSystemBC platform has been offered for sale on various underground forums at least since 2018 as a “malware as\r\na service,” or MaaS. This platform is made up of three separate parts: on the server side, a C2 web server with\r\nadmin panel and a C2 proxy listener; on the target side is a backdoor payload. Regarding an earlier SystemBC\r\nvariant, other researchers have stated that “SystemBC is an attractive tool in these types of operations because it\r\nallows for multiple targets to be worked at the same time with automated tasks, allowing for hands-off deployment\r\nof ransomware using Windows built-in tools if the attackers gain the proper credentials.”\r\nThis DroxiDat variant is very compact compared to previous and common 15-30kb+ SystemBC variants. Detected\r\nSystemBC objects going back to at least 2018 (a SystemBC executable compiled in July 2017 was observed) have\r\nnumbered in the thousands and were used by a long list of ransomware affiliates. In fact, it appears that most of\r\nthe functionality provided in previous SystemBC payloads was stripped from its codebase, and the purpose of this\r\nDroxiDat malware variant is a simple system profiler – its file name suggests its use case as “syscheck.exe”. It\r\nprovides no download-and-execute capabilities, but can connect with remote listeners and pass data back and\r\nforth, and modify the system registry. Also interesting, within this power generator network, DroxiDat/systemBC\r\nwas detected exclusively on system assets similar to past DarkSide targets. And, a Darkside affiliate hit\r\nElectrobras and Copel energy companies in Brazil in 2021. The combination of C:\\perflogs for storage with\r\nDroxiDat/SystemBC and CobaltStrike executable objects was used in past Egregor and Ryuk incidents as well.\r\nMD5 8d582a14279920af10d37eae3ff2b705\r\nSHA1 f98b32755cbfa063a868c64bd761486f7d5240cc\r\nSHA256 a00ca18431363b32ca20bf2da33a2e2704ca40b0c56064656432afd18a62824e\r\nLink time Thu, 15 Dec 2022 06:34:16 UTC\r\nFile type PE32 executable (GUI) Intel 80386, for MS Windows\r\nFile size 8192 bytes\r\nFile path C:\\perflogs\\syscheck.exe\r\nTwo instances of this DroxiDat malware appeared in C:\\perflogs alongside two Cobalt Strike beacons on multiple\r\nsystems.\r\nEssentially, this variant provides several functions:\r\nRetrieves active machine name/username, local IP and volume serial information.\r\nInstead of creating an exclusive-use mutex, it checks and then creates a new thread and registers a window,\r\nclass “Microsoft” and text “win32app” (included in all variants of systemBC).\r\nSimple xor decrypts its C2 (IP:port) settings and creates a session to the remote host.\r\nEncrypts and sends collected system information to the C2.\r\nMay create and delete registry keys and values.\r\nMissing from this Windows variant that is common to past variants:\r\nhttps://securelist.com/focus-on-droxidat-systembc/110302/\r\nPage 2 of 5\n\nFile creation capability.\r\nFile-execution switch statement, parsing for hardcoded file extensions (vbs, cmd, bat, exe, ps1) and code\r\nexecution functionality.\r\nMini-TOR client capabilities.\r\nEmisoft anti-malware scan.\r\nThe object contains xor-encoded configuration settings:\r\nXOR KEY: 0xB6108A9DB511264DB3FAFDB74F3D7F22ECCFC2683755966371A3974A1EA15A074404D96B6510CEE6\r\nHOST1: 93.115.25.41\r\nHOST2: 192.168.1.28\r\nPORT1: 443\r\nSo in this case, its immediate C2 destination is 93.115.25.41:443\r\nUp until November 2022, this IP host provided bitcoin services. Ownership likely changed in December 2022, as\r\nthe above backdoor was compiled mid-December.\r\nA second DroxiDat executable was sent down to the same systems with capabilities to add executable entries to\r\nthe “Software\\Microsoft\\Windows\\CurrentVersion\\Run” registry key with a “socks5” entry, i.e.:\r\n1 powershell.exe -windowstyle hidden -Command \"c:\\perflogs\\hos.exe\"\r\nA third DroxiDat object, this time a dll, was sent down to a server.\r\nMD5 1957deed26c7f157cedcbdae3c565cff\r\nSHA1 be9e23e56c4a25a8ea453c093714eed5e36c66d0\r\nSHA256 926fcb9483faa39dd93c8442e43af9285844a1fbbe493f3e4731bbbaecffb732\r\nLink time Thu, 15 Dec 2022 06:07:31 UTC\r\nFile type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nFile size 7168 bytes\r\nFile path c:\\perflogs\\svch.dll\r\nIt implements essentially the same functionality as “syscheck.exe” above without the ability to modify the\r\nregistry. It also maintains the same HOST and PORT values, and 40-byte key.\r\nCobalt Strike beacons were detected on these systems as well, located in the same directory and similar\r\ninfrastructure. In a couple of instances, the beacons arrived and were detected on the same day as DroxiDat. In\r\nseveral instances, a couple of the beacons first arrived and were detected in the same perflogs directory two days\r\nlater, and several more six days later. It’s highly likely that the same attackers maintained access via stolen\r\ncredentials or another unknown method.\r\nhttps://securelist.com/focus-on-droxidat-systembc/110302/\r\nPage 3 of 5\n\nThe beacons’ infrastructure was power-utility themed:\r\npowersupportplan[.]com, 179.60.146.6\r\nURL: /rs.css, /skin\r\nSeveral beacons calling back to this C2 included the same license_id value:\r\n\"license_id\": \"0x282d4156\"\r\nWe identified one other Cobalt Strike C2 server and beacon cluster, possibly spoofing a power-utility theme as\r\nwell, along with other related data points: epowersoftware[.]com, 194.165.16.63.\r\nThe ssh server on this epowersoftware host shares the same ssh version and RSA key(s) with the one at\r\npowersupportplan[.]com. Additionally, the CS beacon calling back to this domain maintains the same license_id,\r\nas seen above: “license_id”: “0x282d4156”.\r\nAttribution\r\nWe have a consistent set of data points across multiple incidents mentioned in our private report, helping suggest\r\nan assessment may be made with low confidence. Several of these suggest this activity may be attributed to\r\nRussian-speaking RaaS cybercrime. In this case, we may be looking at an activity from a group known as\r\nPistachio Tempest or FIN12, a group HHS reported “has specifically targeted the healthcare industry” in 2022,\r\nfrequently deploying SystemBC alongside CS Beacon to deploy ransomware:\r\nConsistent use of the same perflogs staging directory across this intrusion set within an early 2023\r\ntimeframe.\r\nSystemBC consistently paired alongside Cobalt Strike.\r\nShared profile data across Cobalt Strike hosts.\r\nNokoyawa ransomware deployment alongside DroxiDat within a health care organization early 2023.\r\nMore details can be found in our private crimeware intelligence report “Focus on DroxiDat/SystemBC –\r\nUnknown Actor Targets Power Generator with DroxiDat and CobaltStrike” released in June 2023.\r\nReference IoC\r\nDomains and IP\r\n93.115.25.41\r\npowersupportplan[.]com, 179.60.146.6\r\nLikely related\r\nepowersoftware[.]com, 194.165.16.63\r\nFile hash\r\nDroxidat\r\n8d582a14279920af10d37eae3ff2b705\r\nhttps://securelist.com/focus-on-droxidat-systembc/110302/\r\nPage 4 of 5\n\nf98b32755cbfa063a868c64bd761486f7d5240cc\r\na00ca18431363b32ca20bf2da33a2e2704ca40b0c56064656432afd18a62824e\r\nCobaltStrike beacon\r\n19567b140ae6f266bac6d1ba70459fbd\r\nfd9016c64aea037465ce045d998c1eead3971d35\r\na002668f47ff6eb7dd1b327a23bafc3a04bf5208f71610960366dfc28e280fe4\r\nC:\\perflogs\\syscheck.exe\r\nC:\\perflogs\\a.dll\r\nC:\\perflogs\\hos.exe\r\nC:\\perflogs\\host.exe\r\nC:\\perflogs\\hostt.exe\r\nC:\\perflogs\\svch.dll\r\nC:\\perflogs\\svchoct.dll\r\nC:\\perflogs\\admin\\svcpost.dll\r\nC:\\perflogs\\admin\\syscheck.exe\r\nC:\\perflogs\\sk64.dll\r\nC:\\perflogs\\clinic.exe\r\nSystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits\r\nThey’re back: inside a new Ryuk ransomware attack\r\nSource: https://securelist.com/focus-on-droxidat-systembc/110302/\r\nhttps://securelist.com/focus-on-droxidat-systembc/110302/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/focus-on-droxidat-systembc/110302/" ], "report_names": [ "110302" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a2d3f35f-3b29-4509-bff5-af2638140d39", "created_at": "2022-10-25T16:07:23.633982Z", "updated_at": "2026-04-10T02:00:04.695802Z", "deleted_at": null, "main_name": "FIN12", "aliases": [], "source_name": "ETDA:FIN12", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439041, "ts_updated_at": 1775826775, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6793072ce60d6a42ab684b8769d7e9332580a022.pdf", "text": "https://archive.orkl.eu/6793072ce60d6a42ab684b8769d7e9332580a022.txt", "img": "https://archive.orkl.eu/6793072ce60d6a42ab684b8769d7e9332580a022.jpg" } }