“Cybersecurity experts at ESET reveal the discovery of a malevolent toolkit called Spacecolon, which has been utilized to propagate various strains of the Scarab ransomware across numerous victim organizations worldwide.”
“It gains entry into victim organizations as its operators compromise vulnerable web servers or employ brute force on RDP credentials,” noted ESET security researcher Jakub Souček in a comprehensive technical write-up released on Tuesday.
The Slovak cybersecurity firm, known as CosmicBeetle, has labeled the threat actor behind Spacecolon and traced its origins back to May 2020. The highest number of victims has been identified in France, Mexico, Poland, Slovakia, Spain, and Turkey.
Although the precise origin of the adversary remains uncertain, several iterations of Spacecolon reportedly incorporate Turkish text, which likely suggests the participation of a Turkish-speaking developer. Presently, no evidence links it to any other established threat actor group.
ScHackTool, acting as the orchestrator, manages the deployment of ScInstaller and ScService. ScInstaller’s sole purpose is to install ScService, which functions as a backdoor, allowing CosmicBeetle to execute commands, download payloads and retrieve system information.
In addition to these core components, the operators of Spacecolon heavily rely on an array of third-party tools, both legitimate and malicious, available on demand.
“CosmicBeetle doesn’t select its targets; instead, it identifies servers lacking essential security updates and exploits this vulnerability to its benefit,” Souček highlighted.
ESET has uncovered an alternative version of the infection chain, wherein Impacket is employed to deploy ScService instead of using ScHackTool. This shift indicates that the threat actors are actively exploring diverse techniques.
CosmicBeetle’s financial agenda gains additional strength from the fact that the ransomware payload is complemented by a clipper malware. This clipper malware monitors the system clipboard and alters cryptocurrency wallet addresses to ones controlled by the attackers.
ESET’s findings also revealed the emergence of a fresh ransomware variant, ScRansom, thought to originate from the same developer as Spacecolon. This new ransomware showcases analogous Turkish elements in its code and bears resemblances in its visual interface.