HQ/EMEAFind out how we can help your business
The notorious Space Pirates threat group has allegedly been the culprit of different attacks on numerous organisations in Serbia and Russia for the past year.
Based on reports, the group’s primary objective is espionage attacks and the heist of critical information. However, its recent attack showed that it’s expanded its interest and scope. The confirmed entities this group targets are government agencies, private security firms, agricultural producers, energy, academic institutions, defence, healthcare, and aerospace manufacturing companies in Serbia and Russia.
Space Pirates utilise Deed RAT to harvest targeted files against its targets.
The Space Pirates threat group likes to steal PST email files by leveraging the Deed RAT. Moreover, researchers explained that the group exclusively uses the remote access trojan.
In addition, Deed RAT is said to be the malware that replaced ShadowPad, which is an evolution of the PlugX malware. The Chinese cyberespionage attackers widely use these strains.
However, some researchers stated that the malware is still in its developmental stage since it has 32 and 64-bit versions with a dynamic retrieval of additional plugins from a remote server.
The developing malware also contains a Disk plugin to identify files and folds, run commands, code arbitrary files to disk and link to network drives and a Portmap module for port forwarding.
Furthermore, the remote access trojan also functions as a duct to serve additional payloads such as Voidoor.
The malware developers designed Voidoor to contact an authentic forum called Voidtools and a GitHub repository for its command-and-control server. Voidtools is the developer of a freeware desktop search utility for Windows called Everything.
The developers could use such a technique since they use an open-source forum software called MyBB. The main objective of Voidoor is to get inside the forum through hard-coded credentials and access the user’s personal messaging system to scan for a folder that matches a targeted victim ID.
Further research showed that the threat actors registered to GitHub and Voidtools last November.
Threat actors are constantly adopting or developing new malware strains to have a unique cybercriminal operation against a targeted entity. Therefore, organisations should also employ layered defences to counteract such actions from hackers.
