ESET has detected the Spacecolon malware toolkit, which is used to spread Scarab ransomware around the world. The threat is likely to infiltrate organizations by compromising vulnerable web servers or by brute-forcing remote desktop (RDP) credentials.
According to ESET telemetry data, Spacecolon attacks have been recorded in various parts of the world with a high prevalence in European Union countries such as Spain, France, Belgium, Poland and Hungary, as well as in Turkey and Mexico. In addition, cybercriminals are developing a new ransomware called ScRansom. Once the ransomware is installed, Spacecolon has a wide range of third-party tools that allow attackers to disable security products, intercept confidential information, and gain further access.
Spacecolon ransomware allows attackers to intercept data.
ESET was able to trace the origin of Spacecolon back to at least May 2020, and it remains active to this day.
“We did not notice any pattern in the choice of victims, focus areas, or target size, except that they were vulnerable to the initial access methods. For example, Spacecolon has been detected in a hospital and tourist facility in Thailand, an insurance company in Israel, a local government agency in Poland, an entertainment company in Brazil, an environmental company in Turkey, and a school in Mexico,” said Jakub Sucek, ESET researcher.
Cybercriminals are likely to compromise web servers with ZeroLogon vulnerabilities or RDP credentials that can be cracked by password guessing. In addition, Spacecolon can provide access via a backdoor for attackers. The latter do not put much effort into hiding their malware and leave many traces on infected systems.
After compromising a vulnerable web server, cybercriminals deploy ScHackTool. This core component allows hackers to manage the attack by downloading and running additional tools on the device. If the target is deemed interesting, the attackers can deploy other tools that provide further remote access.
The last deployed version is the Scarab ransomware. This variant can internally deploy ClipBanker, a malware that tracks and modifies the contents of the clipboard, which can be the address of a cryptocurrency wallet, to the attackers’ address.
In addition, a new family of ScRansomware is currently being developed, and samples of it have been uploaded to VirusTotal. ESET researchers believe with great confidence that this malware was written by the same developers as Spacecolon. ScRansom tries to encrypt all hard, removable and remote disks. ESET has not yet seen this malware deployed in a real-world environment, and it is likely still under development.
Due to the risk of further spread of the threat, ESET recommends that you apply the latest software updates, use two-factor authentication to log in to your accounts in addition to passwords, and install programs to protect your computers and mobile devices from various threats, including ransomware, phishing attacks, and other types of malware.
