In this blogpost, ESET researchers take a look at Spacecolon, a small toolset used to deploy variants of the Scarab ransomware to victims all over the world. It probably finds its way into victim organizations by its operators compromising vulnerable web servers or via brute forcing RDP credentials.
Several Spacecolon builds contain a lot of Turkish strings; therefore we suspect a Turkish-speaking developer. We were able to track the origins of Spacecolon back to at least May 2020 and continue to see new campaigns at the time of writing, with the latest build compiled in May 2023. Despite this tracking and our detailed analysis of Spacecolon’s constituent tools, we cannot currently attribute its use to any known threat actor group. Therefore, we will call Spacecolon’s operators CosmicBeetle to represent the link to “space” and “scarab”.
Spacecolon consists of three Delphi components – internally known as HackTool, Installer, and Service, which will be referred to as ScHackTool, ScInstaller, and ScService in this blogpost. ScHackTool is the main orchestrator component, which allows CosmicBeetle to deploy the other two. ScInstaller is a small component with a single purpose: to install ScService. ScService acts as a backdoor, allowing CosmicBeetle to execute custom commands, download and execute payloads, and retrieve system information from compromised machines.
Besides these three components, Spacecolon’s operators rely heavily on a large variety of third-party tools, both legitimate and malicious, that Spacecolon makes available on demand.
While preparing this report for publication, we observed a new ransomware family being developed, with samples being uploaded to VirusTotal from Turkey. We believe with high confidence that it is written by the same developer as Spacecolon; therefore we’ll refer to it as ScRansom. Our attribution is based on similar Turkish strings in the code, usage of the IPWorks library, and the overall GUI similarity. ScRansom attempts to encrypt all hard, removable and remote drives using the AES-128 algorithm with a key generated from a hardcoded string. We have not observed ScRansom being deployed in the wild at the time of writing and we believe it is still in the development stage. The latest variant uploaded to VirusTotal is bundled inside an MSI installer, together with a small utility to delete Shadow Copies.
Key points of this blogpost:
CosmicBeetle operators probably compromise web servers vulnerable to the ZeroLogon vulnerability or those whose RDP credentials they are able to brute force.
Spacecolon provides, on demand, a large variety of third-party, red team tools.
CosmicBeetle has no clear targeting; its victims are all over the world.
Spacecolon can serve as a RAT and/or deploy ransomware; we have seen it delivering Scarab.
Spacecolon operators or developers appear to be preparing the distribution of new ransomware that we have named ScRansom.
The name Spacecolon was assigned by Zaufana Trzecia Strona analysts, who authored the first (and to our knowledge the only other) publication (in Polish) about the toolset. Building on top of that publication, ESET offers deeper insight into the threat. To avoid confusion, we will refer to the toolset as Spacecolon and to its operators as CosmicBeetle.
The attack scenario is as follows:
1.CosmicBeetle compromises a vulnerable web server or simply brute forces its RDP credentials.
2.CosmicBeetle deploys ScHackTool.
3.Using ScHackTool, CosmicBeetle employs any of the additional third-party tools available on demand to disable security products, extract sensitive information, and gain further access.
4.If the target is deemed valuable, CosmicBeetle can deploy ScInstaller and use it to install ScService.
5.ScService provides further remote access for CosmicBeetle.
6.Finally, CosmicBeetle may choose to deploy the Scarab ransomware through ScService or manually.
In several cases, we noticed ScService being deployed through Impacket rather than ScInstaller, with ScHackTool not used at all. We conclude that using ScHackTool as the initial component is not the only approach Spacecolon’s operators employ.
The final payload CosmicBeetle deploys is a variant of the Scarab ransomware. This variant internally also deploys a ClipBanker, a type of malware that monitors the content of the clipboard and changes content that it deems is likely to be a cryptocurrency wallet address to an attacker-controlled one.
ESET telemetry suggests that some targets are compromised via RDP brute forcing – this is further supported by the additional tools, listed in Appendix A – Third-party tools used by the attacker, available to Spacecolon operators. Besides that, we assess with high confidence that CosmicBeetle abuses the CVE-2020-1472 (ZeroLogon) vulnerability, based on a custom .NET tool described in the next section.
With low confidence, we assess that CosmicBeetle may also be abusing a vulnerability in FortiOS for initial access. We believe so based on the vast majority of victims having devices running FortiOS in their environment and that the ScInstaller and ScService components reference the string “Forti” in their code. According to CISA, three FortiOS vulnerabilities were amongst the top routinely exploited vulnerabilities in 2022. Unfortunately, we have no further details on such possible vulnerability exploitation besides these artifacts.
On several occasions, ESET telemetry has shown Spacecolon operators executing a custom .NET payload that we will refer to here as ScPatcher. ScPatcher is designed to do nothing malicious. On the contrary: it installs chosen Windows Updates. The list of updates installed is illustrated in Table 1 and the corresponding code part of ScPatcher in Figure 1.
Table 1. List of Windows Updates installed by ScPatcher
Update ID
Platform
Comment
KB5005389
Windows 8
Addresses CVE-2021-33764.
KB4601357
Windows 8
Addresses ZeroLogon.
KB4601349
Windows 8.1
Addresses ZeroLogon.
KB4576750
Windows 10
No clear CVE connection.
KB955430
Windows Vista
Windows Server 2008
No clear CVE connection.
KB4571746
Windows 7
Windows Server 2008
No clear CVE connection.
KB5006749
Windows 7
Windows Server 2008
No clear CVE connection.
KB4601363
Windows 7
Windows Server 2008
Addresses ZeroLogon.
KB5005112
Windows 10
Windows Server 2019
No clear CVE connection.
Figure 1. Part of ScPatcher code listing the selected Windows updates
ScPatcher also contains two functions designed to drop and execute:
?update.bat, a small BAT script to alter Windows Automatic Updates settings, and
?up.vbs, an almost identical copy of an official MSDN example script to download and install Windows Updates with the slight change of not accepting user input, but rather allowing the updates to proceed automatically and silently.
While these two functions are not referenced anywhere in the code, ESET telemetry shows Spacecolon operators executing both scripts directly through Impacket. The functions are illustrated in Figure 2 and Figure 3.
Figure 2. ScPatcher code responsible for dropping and executing a BAT script to alter Automatic Windows Update settingsFigure 3. ScPatcher code responsible for dropping and executing a VBScript to download and install Windows Updates
We have not observed any pattern in Spacecolon victims besides them being vulnerable to the initial access methods employed by CosmicBeetle. Figure 4 illustrates the Spacecolon incidents identified by ESET telemetry.
Figure 4. Distribution of Spacecolon victims
We have not found any pattern in the targets’ area of focus or size either. To name a few, we have observed Spacecolon at a hospital and a tourist resort in Thailand, an insurance company in Israel, a local governmental institution in Poland, an entertainment provider in Brazil, an environmental company in Turkey, and a school in Mexico.
We first take a brief look at the ransomware variant Spacecolon deploys and then proceed with the analysis of Spacecolon components themselves.
Scarab is Delphi-written ransomware. It contains notable code overlaps with the Buran and VegaLocker families. It relies on an embedded configuration whose format is almost identical to that of the Zeppelin ransomware. That configuration determines, among other things, the file extension for encrypted files, filenames, list of file extensions of files to encrypt, and the ransom message.
The vast majority of Scarab builds we have encountered drop and execute an embedded Delphi-written ClipBanker that monitors the clipboard content and replaces any string resembling a cryptocurrency wallet with an attacker-controlled one, specifically one of the following:
?1HtkNb73kvUTz4KcHzztasbZVonWTYRfVx
?qprva3agrhx87rmmp5wtn805jp7lmncycu3gttmuxe
?0x7116dd46e5a6c661c47a6c68acd5391a4c6ba525
?XxDSKuWSBsWFxdJcge8xokrtzz8joCkUHF
?4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQnt2yEaJRD7Km8Pnph
?t1RKhXcyj8Uiku95SpzZmMCfTiKo4iHHmnD
We were able to conclusively link Spacecolon with at least two Scarab builds utilizing .flycrypt and .restoreserver extensions for encrypted files – CosmicBeetle attempted to execute these builds on machines that had been compromised by Spacecolon shortly beforehand. Both builds follow the same file-naming patterns – the ransomware runs as %APPDATA%osk.exe and the embedded ClipBanker as %APPDATA%winupas.exe. This naming holds special importance for Spacecolon, as ScHackTool expects two such named processes to be running. Supposing this naming pattern is closely tied to Spacecolon, more than 50% of Scarab configurations shown by ESET telemetry may be related to Spacecolon. The ransom messages for the two conclusively linked samples are illustrated in Figure 5 and Figure 6.
Figure 5. Scarab ransom message for the .flycrypt variantFigure 6. Scarab ransom message for the .restoreserver variant
ScHackTool is the main Spacecolon component used by its operators. It relies heavily on its GUI and the active participation of its operators; it allows them to orchestrate the attack, downloading and executing additional tools to the compromised machine on demand as they see fit.
From here on, we will refer to multiple GUI components in the same way as they are defined by the Delphi programming language – Labels, TextBoxes, GroupBoxes, etc.
ScHackTool employs a neat anti-emulation trick. When executed, a fake error message pops up (see Figure 7). If the “OK” button is clicked, ScHackTool terminates. One needs to double-click on the “g” in the word “reinstalling” (highlighted in red) to actually display the main window.
Figure 7. Fake error message displayed when ScHackTool is executed
Before the main window is displayed, ScHackTool obtains a text file, list.txt, from its C&C server. This file defines what additional tools are available, their associated names, and URLs from which to download them. An example of such a file is shown in Figure 8. All Spacecolon components, including ScHackTool, use the IPWorks library for network communication.
CAT<NAME> (probably short for “Category”), then a new GroupBox named <NAME> is created and all following entries are associated with it. Similarly, if a line looks like SUB
4909 Murphy Canyon Road Suite, 500
San Diego, CA 92123
Store
Company
Support
Newsletter
