Scarab Ransomware Deployed Worldwide Via Spacecolon Toolset

Written by

Cybersecurity researchers from ESET have uncovered a malicious toolset named Spacecolon that has been deployed to spread variants of the Scarab ransomware across global victim organizations.

According to an advisory published by ESET earlier today, the toolset is believed to gain entry into victim organizations by exploiting vulnerable web servers or leveraging brute-force attacks on Remote Desktop Protocol (RDP) credentials.

ESET’s investigation also revealed that certain Spacecolon versions contain Turkish strings, suggesting the involvement of a Turkish-speaking developer. 

Although Spacecolon’s origins trace back to at least May 2020, new campaigns are ongoing, with the most recent build compiled in May 2023. Despite extensive tracking and analysis, ESET has not yet attributed the use of the toolset to any known threat actor group. As a result, the firm is referring to the operators behind Spacecolon as “CosmicBeetle.”

From a technical standpoint, the toolset comprises three primary Delphi components – ScHackTool, ScInstaller and ScService – which enable CosmicBeetle to establish remote access, deploy additional tools and even launch ransomware attacks. 

ScHackTool, acting as the orchestrator, manages the deployment of ScInstaller and ScService. ScInstaller’s sole purpose is to install ScService, which functions as a backdoor, allowing CosmicBeetle to execute commands, download payloads and retrieve system information.

In addition to these core components, the operators of Spacecolon heavily rely on an array of third-party tools, both legitimate and malicious, available on demand.

Read more on third-party breaches: Almost all Organizations are Working with Recently Breached Vendors

ESET’s analysis also unveiled the development of a new ransomware family, ScRansom, believed to be created by the same developer behind Spacecolon. This new ransomware exhibits similar Turkish strings in its code and shares similarities in its graphical user interface. 

ScRansom is designed to encrypt various drives using the AES-128 algorithm, generating a key from a hardcoded string. Although it has not been observed in active attacks, ESET suggests that ScRansom is still in its developmental stage.

For more detailed information about the Spacecolon toolset, its ties to the Scarab ransomware and the evolving threat landscape, readers are encouraged to refer to ESET’s official research publication.

What’s hot on Infosecurity Magazine?