CSC News Table of Contents
Spacecolon Toolset Fuels Global Surge in Scarab Ransomware Attacks: A dangerous toolset named Spacecolon is at the heart of a growing wave of Scarab ransomware attacks affecting organizations worldwide.
This malicious toolset is being used in an ongoing campaign, targeting vulnerable web servers and exploiting RDP credentials to infiltrate victim organizations. This news item delves into the details of this threat.
Key Takeaways to Surge in Scarab Ransomware Attacks
- Spacecolon, a malicious toolset, is driving a global increase in Scarab ransomware attacks.
- The threat actor behind this campaign, known as CosmicBeetle, has been active since May 2020.
- The attacker’s primary method involves exploiting security vulnerabilities and weak credentials to gain access to victim systems.
The Emergence of Spacecolon
The cybersecurity landscape is grappling with the emergence of Spacecolon, a malicious toolset fueling a surge in Scarab ransomware attacks across organizations worldwide.
According to ESET security researcher Jakub Souček, Spacecolon is infiltrating victim organizations through vulnerable web servers or by brute-forcing RDP (Remote Desktop Protocol) credentials.
Global Impact and Origins
Spacecolon, attributed to the threat actor CosmicBeetle, has been active since May 2020. The highest concentration of victims has been identified in countries such as France, Mexico, Poland, Slovakia, Spain, and Turkey.
Notably, certain Spacecolon variants contain Turkish strings, indicating potential involvement by a Turkish-speaking developer. However, there is currently no evidence linking this campaign to any known threat actor group.
Diverse Range of Targets
The targets of these attacks are diverse and span the globe. They include a hospital and tourist resort in Thailand, an insurance company in Israel, a local governmental institution in Poland, an entertainment provider in Brazil, an environmental company in Turkey, and a school in Mexico.
CosmicBeetle’s approach is opportunistic, targeting servers with critical security updates missing, and exploiting these vulnerabilities to their advantage.
Adaptation and Persistence
Spacecolon initially came to public attention in February 2023, prompting adjustments to its tactics by the adversary. At its core, Spacecolon features ScHackTool, a Delhi-based orchestrator responsible for deploying an installer.
This installer, called ScService, functions as a backdoor with the capability to execute custom commands, download and execute payloads, and gather system information from compromised machines.
Ransomware and Financial Incentives
CosmicBeetle’s ultimate objective is to deploy Scarab ransomware, leveraging the access provided by ScService. The attackers are also using a clipper malware to monitor the system clipboard and modify cryptocurrency wallet addresses to their advantage.
Additionally, there are indications that CosmicBeetle is actively developing a new ransomware strain called ScRansom, which aims to encrypt various drives using AES-128 encryption.
Low Effort in Evasion
Interestingly, CosmicBeetle does not invest substantial effort in hiding its malware, leaving numerous traces on compromised systems. Their approach lacks robust anti-analysis or anti-emulation techniques.
ScHackTool is primarily used to download additional tools to compromised machines and execute them as needed.
Conclusion
Spacecolon, backed by the threat actor CosmicBeetle, poses a significant threat to organizations globally. By exploiting vulnerabilities and weak credentials, this malicious toolset enables the deployment of Scarab ransomware and related malware. Vigilance and robust security measures are essential to counter this evolving cyber threat.
About ESET:
ESET is a renowned cybersecurity firm dedicated to providing comprehensive protection against digital threats. ESET’s research plays a critical role in understanding and mitigating cybersecurity risks.
