“Spacecolon” Toolkit Used to Target Multiple Industries with Scarab Ransomware, including Hospitality and Entertainment Organizations

Context

On August 22, 2023, researchers at ESET released the technical details of the Spacecolon toolset, which they observed being leveraged in multiple campaigns to deploy the Scarab ransomware against multiple industries. According to the report, the campaigns are not specifically targeted, but are opportunistic in nature. Known targets include “a hospital and a tourist resort in Thailand, an insurance company in Israel, a local governmental institution in Poland, an entertainment provider in Brazil, an environmental company in Turkey, and a school in Mexico.”

ESET researchers attribute the tool to a threat actor they call CosmicBeetle, which does not appear to be connected to any other threat actors based on currently available data.

Key takeaways from the ESET report include:

• “CosmicBeetle operators probably compromise web servers vulnerable to the ZeroLogon vulnerability or those whose RDP credentials they are able to brute force.
• Spacecolon provides, on demand, a large variety of third-party, red team tools.
• CosmicBeetle has no clear targeting; its victims are all over the world.
• Spacecolon can serve as a RAT and/or deploy ransomware; we have seen it delivering Scarab.
• Spacecolon operators or developers appear to be preparing the distribution of new ransomware that we have named ScRansom.”

Technical Details

ESET researchers outlined the following attack pattern:

1. “CosmicBeetle compromises a vulnerable web server or simply brute forces its RDP credentials.
2. CosmicBeetle deploys ScHackTool.
3. Using ScHackTool, CosmicBeetle employs any of the additional third-party tools available on demand to disable security products, extract sensitive information, and gain further access.
4. If the target is deemed valuable, CosmicBeetle can deploy ScInstaller and use it to install ScService.
5. ScService provides further remote access for CosmicBeetle.
6. Finally, CosmicBeetle may choose to deploy the Scarab ransomware through ScService or manually.”

According to the report, “Spacecolon consists of three Delphi components – internally known as HackTool, Installer, and Service […] ScHackTool is the main orchestrator component, which allows CosmicBeetle to deploy the other two. ScInstaller is a small component with a single purpose: to install ScService. ScService acts as a backdoor, allowing CosmicBeetle to execute custom commands, download and execute payloads, and retrieve system information from compromised machines.”

Attribution

ESET researchers assessed with high confidence that the new ransomware family they dubbed “ScRansom” was written by CosmicBeetle, the Spacecolon developer, based on “similar Turkish strings in the code, usage of the IPWorks library, and the overall GUI similarity.”

IOCs

ESET researchers provided the following indicators of compromise (IOCs):

Files