Scarab Ransomware Deployed Using SpaceColon Toolkit

Aug 30, 2023

Fraud Management & Cybercrime , Ransomware

Hackers are using a tool set that first appeared in 2020 and apparently was developed by Turkish speakers to deploy Scarab ransomware, say security researchers.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

Cybersecurity firm Eset said the toolkit, dubbed SpaceColon, consists of three main components: a downloader, an installer and a backdoor used to deploy Scarab. SpaceColon, like the ransomware, is written in the Delphi software language. A Polish cybersecurity firm first documented the tool set in February.

Eset dubbed the threat actors behind SpaceColon "CosmicBeetle." Several builds of the toolkit "contain a lot of Turkish strings; therefore we suspect a Turkish-speaking developer," Eset wrote.

Telemetry suggests that CosmicBeetle compromise targets by brute-forcing the password to remote desktop protocol instances or by compromising web servers. Eset assessed with "high confidence" that the threat group exploits a 2020 vulnerability known as ZeroLogon, tracked as CVE-2020-1472, based on the fact that CosmicBeetle hackers oftentimes apply Windows patches to fix the flaw once they've established access to a compromised system.

The researchers are less sure whether CosmicBeetle also abused flaws in the Fortinet security appliance operating system FortiOS. They said they believe so "based on the vast majority of victims having devices running FortiOS in their environment" and the fact that components of SpaceColon reference the string "Forti" in their code. "Unfortunately, we have no further details on such possible vulnerability exploitation besides these artifacts."

There seems to be no pattern to CosmicBeetle victims, which are distributed across the globe. Eset named just a few: a Thai hospital and tourist resort, an Israeli insurance company, a Mexican school and an environmental company in Turkey. "CosmicBeetle does not choose its targets; rather, it finds servers with critical security updates missing and exploits that to its advantage," Eset wrote.

Not every SpaceColon user used the downloader and installer to deploy the backdoor. In some cases, they used an open-source toolkit called Impacket.

Developers of the toolkit also appear to be preparing to distribute a new ransomware that Eset dubbed SCRansom. Some samples have already been uploaded to VirusTotal from Turkey. Eset said the developers of SpaceColon and the new ransomware are the same "based on similar Turkish strings in the code, usage of the IPWorks library, and the overall GUI similarity." So far, the ransomware has not been spotted in the wild.