Scarab Ransomware Disseminated Globally Through Spacecolon Software Kit
Scarab Ransomware Disseminated Globally Through Spacecolon Software Kit

Image: sebastiaan stam (unsplash)

Researchers from ESET have discovered a malicious software kit named Spacecolon, responsible for disseminating variants of the Scarab ransomware to numerous organizations worldwide.

ESET’s advisory, released earlier today, indicates that the software kit is potentially entering victim organizations by capitalizing on vulnerable web servers or by mounting brute-force attacks on Remote Desktop Protocol (RDP) credentials.

Further investigation by ESET showed that specific versions of Spacecolon feature Turkish linguistic elements, pointing to a Turkish-speaking developer’s possible involvement.

Although the roots of Spacecolon can be traced back to as early as May 2020, the launch of new campaigns hasn’t ceased, with the latest version being developed in May 2023. Despite rigorous monitoring and evaluation, ESET remains uncertain about attributing the software kit’s usage to any recognized threat actor group. Hence, the researchers have coined the term “CosmicBeetle” for the individuals orchestrating Spacecolon.

From an analytical perspective, this software kit consists of three main Delphi components: ScHackTool, ScInstaller, and ScService. These components grant CosmicBeetle the capability to gain remote access, integrate additional tools, and even initiate ransomware offensives.

With ScHackTool at the helm, it oversees the integration of both ScInstaller and ScService. The primary role of ScInstaller is to set up ScService, which acts as a concealed gateway. This gateway enables CosmicBeetle to run commands, incorporate payloads, and gather system data.

Moreover, Spacecolon’s operators significantly depend on a mix of third-party tools, encompassing both authentic and harmful ones, which can be accessed as needed.

Further insights into third-party breaches reveal: A Vast Majority of Organizations Collaborate with Recently Compromised Vendors.

Also, ESET’s in-depth analysis led to the identification of a novel ransomware category, named ScRansom. It is speculated to be the brainchild of the developer behind Spacecolon. This emergent ransomware portrays comparable Turkish linguistic elements within its structure and bears resemblance in its visual interface.

The primary design of ScRansom is to encrypt different drive systems using the AES-128 mechanism, producing a key derived from a fixed string. Although its presence hasn’t been marked in current offensives, ESET proposes that ScRansom remains in the refining phase.

For an exhaustive overview regarding the Spacecolon software kit, its association with the Scarab ransomware, and the ever-changing threat dimension, enthusiasts are prompted to consult ESET’s definitive research document.