Developers Appear To Be Preppring New Ransomware Malware
Hackers are using toolset that first appeared in 2020 apparently developed by Turkish-speakers to deploy Scarab ransomware, say security researchers.
Cybersecurity firm Eset says the toolkit, dubbed SpaceColon, consists of three main components: a downloader, an installer and a backdoor used to deploy Scarab. SpaceColon, like the ransomware, is written in the Delphi software language. Polish cybersecurity firm first documented the toolset in February.
Eset dubs the threat actors behind SpaceColon “CosmicBeetle.” Several builds of the tookit “contain a lot of Turkish strings; therefore we suspect a Turkish-speaking developer,” Eset writes.
Telemetry suggests that CosmicBeetle compromise targets by brute forcing the password to remote desktop protocol instances or by compromising webservers. Eset assesses with high confidence the threat group exploits a 2020 vulnerability known as ZeroLogon, tracked as CVE-2020-1472, based on the fact that CosmicBeetle hackers oftentimes apply Windows patches to fix the flaw once they’ve established access to a compromised system.
The company is less sure whether CosmicBeetle also abused flaws in the Fortinet security appliance operating system, FortiOS. Researchers say they believe so “based on the vast majority of victims having devices running FortiOS in their environment” and the fact that components of SpaceColon reference the string “Forti” in their code. “Unfortunately, we have no further details on such possible vulnerability exploitation besides these artifacts.”
There seems to be no pattern to CosmicBeetle victims, which are distributed across the globe. Eset names just a few: a Thai hospital and tourist resort, an Israeli insurance company, a Mexican school and an environmental company in Turkey. “CosmicBeetle does not choose its targets; rather, it finds servers with critical security updates missing and exploits that to its advantage,” Eset wrote.
Not every SpaceColon user uses the downloader and installer to deploy the backdoor. In some cases, they sued an open-source toolkit called Impacket.
Developers of the toolkit also appear to be prepping to distribute a new ransomware that Eset dubs SCRansom. Some samples have already been uploaded to VirusTotal from Turkey. Eset says the developers of SpaceColon and the new ransomware are one in the same “based on similar Turkish strings in the code, usage of the IPWorks library, and the overall GUI similarity.” So far, the ransomware has not been spotted in the wild.