In a recent blog post by ESET researchers, they delve into the details of Spacecolon, a toolset used to distribute variants of the Scarab ransomware. The researchers suspect that the operators of Spacecolon gain access to victim organizations by compromising vulnerable web servers or by brute forcing RDP credentials. The toolset contains a lot of Turkish strings, leading the researchers to believe that the developer may be Turkish-speaking. The origins of Spacecolon can be traced back to May 2020, and new campaigns are still being observed, with the latest build compiled in May 2023.
The researchers have analyzed the components of Spacecolon and have identified three main components: ScHackTool, ScInstaller, and ScService. ScHackTool is the main orchestrator component that allows the operators to deploy the other two components. ScInstaller is responsible for installing ScService, which acts as a backdoor and allows the operators to execute commands, download and run payloads, and retrieve system information from compromised machines. In addition to these components, the operators of Spacecolon rely on a variety of third-party tools, both legitimate and malicious, that can be accessed on demand.
During the course of their research, the ESET researchers have observed the development of a new ransomware family that they believe is written by the same developer as Spacecolon. They have named this new ransomware ScRansom. Similarities in the code, the usage of the IPWorks library, and the overall GUI similarity led the researchers to attribute ScRansom to the same developer as Spacecolon. ScRansom attempts to encrypt hard drives, removable drives, and remote drives using the AES-128 algorithm. However, at the time of writing, ScRansom is still in the development stage and has not been observed being deployed in the wild.
The researchers highlight several key points about Spacecolon: the operators likely compromise web servers vulnerable to the ZeroLogon vulnerability or employ brute force attacks on RDP credentials, Spacecolon provides a wide range of third-party tools on demand, the victims of Spacecolon are located worldwide, Spacecolon can function as a remote access trojan (RAT) or deploy ransomware, and the operators are preparing the distribution of the new ransomware, ScRansom.
The name “Spacecolon” was given to the toolset by Zaufana Trzecia Strona analysts, who previously published a report on the toolset in Polish. To avoid confusion, the ESET researchers refer to the toolset as Spacecolon and its operators as CosmicBeetle. The attack scenario involves CosmicBeetle compromising a vulnerable web server or brute forcing RDP credentials, deploying ScHackTool, using additional third-party tools to gain further access and extract sensitive information, and potentially deploying the Scarab ransomware.
The researchers have observed instances where ScService, the backdoor component of Spacecolon, is deployed through Impacket rather than ScInstaller, indicating that there are alternative approaches employed by the operators. The final payload deployed by CosmicBeetle is a variant of the Scarab ransomware, which also includes a ClipBanker malware that monitors the clipboard and changes cryptocurrency wallet addresses to attacker-controlled ones.
In terms of initial access, the researchers have found evidence suggesting that CosmicBeetle exploits the ZeroLogon vulnerability and possibly a vulnerability in FortiOS. The ScPatcher tool, observed in ESET telemetry, installs selected Windows updates, including those addressing ZeroLogon. The researchers also mention the use of custom .NET payloads and the execution of BAT and VBScript scripts to alter Windows Automatic Updates settings and download/install updates.
There is no discernible pattern in the victimology of Spacecolon. The researchers have observed victims from various industries and locations around the world, including a hospital and a tourist resort in Thailand, an insurance company in Israel, a governmental institution in Poland, an entertainment provider in Brazil, an environmental company in Turkey, and a school in Mexico.
In conclusion, the ESET researchers offer a comprehensive analysis of Spacecolon, a toolset used to distribute variants of the Scarab ransomware. The researchers highlight the key components of Spacecolon, its operators’ methods of compromising victim organizations, the availability of third-party tools, and the development of a new ransomware called ScRansom.