HQ/EMEAFind out how we can help your business
A new malicious campaign that distributes variants of the Scarab ransomware has leveraged a new malicious toolset called Spacecolon. Researchers explained that this new campaign is a global operation and does not attack a specific region.
Based on reports, the toolset could acquire entry to a targeted organisation by exploiting flawed web servers or utilising brute-force tactics on RDP credentials.
The Spacecolon toolkit could have come from Turkey.
According to the researchers, one variant of the Spacecolon toolkit includes Turkish strings, indicating that it came from a Turkish-speaking developer.
Moreover, the earliest version of Spacecolon appeared in May 2020, but new ongoing campaigns use a build compiled in May this year. Unfortunately, researchers have yet to attribute the toolkit to any well-known threat group despite continuous investigations and analysis. The researchers identified the operators of Spacecolon as CosmicBeetle.
Experts explained that the toolset includes three main Delphi components – ScHackTool, ScService, and ScInstaller. These components allow the CosmicBeetle group to acquire remote access, deploy additional payloads and execute ransomware attacks.
Researchers noticed that the ScHackTool behaves like an orchestrator that manages the launching of ScService and ScInstaller. On the other hand, the only objective of ScInstaller is to install ScService. The latter component functions as a backdoor that could enable CosmicBeetle to run commands, retrieve system information, and download additional payloads.
In addition to the core components, the Spacecolon operators rely on various third-party tools in the threat landscape.
A separate analysis also uncovered a new ransomware family called ScRansom. Researchers believe that Spacecolon developers also created the newly discovered ransomware strain. Additionally, the ransomware displays similar Turkish strings in its code and has semblance to its graphical user interface.
The developers designed ScRansom to encrypt numerous drives via an AES-129 algorithm that generates a key from a hardcoded string. However, ScRansom could still be in its developmental stage since the researchers could not observe an attack from the new strain.
Cybersecurity researchers and analysts should take note of these new tools and ransomware strains since they could emerge soon with new capabilities that could execute widespread cybercriminal attacks.
