Space Pirates Cyber Group Strikes with New Malware
APT Steps Up Attacks on Russian, Serbian Organizations
Overt Operator
August 02, 2023
Cybersecurity specialists are sounding the alarm as an advanced persistent threat (APT) group, known as Space Pirates, steps up attacks on Russian and Serbian organizations.
In a recent in-depth report by Positive Technologies, the cybercriminal group has been implicated in strikes against 16 organizations within the past year. Notably, their tactics have evolved, adding fresh cyber weapons to their repertoire, shifting from their established focus on espionage and theft of confidential data to an expanded interest in a broader geographical range of targets.
Victims encompass a diverse range of sectors, including government agencies, private security firms, educational institutions, aerospace manufacturers, agricultural producers, defense companies, energy corporations, and healthcare firms. Space Pirates' activities have intensified over the past year, showing their increasing adaptability and willingness to venture into different areas of operation.
First uncovered by the Russian cybersecurity firm in May 2022, Space Pirates has been active since at least late 2019. Intriguingly, they are believed to be linked to another cyber adversary known as Webworm, tracked by the cybersecurity firm Symantec.
Space Pirates' latest weapon, Deed RAT, is an iteration of the infamous ShadowPad malware, itself an evolved form of PlugX. Both ShadowPad and PlugX are widely associated with Chinese cyber espionage campaigns. This malware, available in both 32- and 64-bit versions, is still under active development and has been designed to retrieve additional plug-ins from a remote server dynamically.
Among these plug-ins is a Disk plug-in that can enumerate files and folders, write arbitrary files to disk, execute commands, and connect to network drives, and a Portmap module used for port forwarding.
Interestingly, Deed RAT also serves as a pathway for next-stage payloads, such as Voidoor. This new malware variant is designed to make contact with a legitimate forum called Voidtools and a GitHub repository associated with a user named "hasdhuahd" for command-and-control (C2) purposes.
Notably, Voidoor has a unique method of operation. Its main goal is to log in to the Voidtools forum using hard-coded credentials and search the user's personal messaging system for a folder that matches a specific victim ID.
Accounts associated with the GitHub repository and the Voidtools forum were registered in November 2022, suggesting a timeline for this operation.
Positive Technologies warns of the group's innovative and adapting tactics:
"The hackers are working on a new malware that implements unconventional techniques, such as Voidoor, and modifying their existing malware,"the group stated.
The technology researcher also highlighted that the actors utilize "a large number of publicly available tools for navigating networks" and employ the Acunetix web vulnerability scanner to "reconnoiter infrastructures it targets."