Turkey-origin ransomware spreads around the world

ESET researchers analyzed the Spacecolon toolkit of the CosmicBeetle group, which they believe to be of Turkish origin, and found that they distributed the Scarab ransomware to vulnerable servers.

Spacecolon operators, named CosmicBeetle by cybersecurity company ESET, were mostly detected in European countries, Turkey and Mexico, even if they did not have a clear target.

Spacecolon serves as a remote access trojan capable of stealing sensitive information or distributing Scarab ransomware. CosmicBeetle is likely targeting web servers that are vulnerable to ZeroLogon, or RDP credentials that it can brute-force. It is thought that CosmicBeetle will start the distribution of a new ransomware called ScRansom. It is likely infiltrating victim organizations through vulnerable web servers or by brute-forced RDP credentials. Some Spacecolon structures contain many Turkish terms; therefore, ESET believes it was written by a Turkish-speaking developer.

History back to 2020

According to ESET’s research, Spacecolon’s history dates back to at least May 2020 and its activities continue. ESET named the Spacecolon’s operators CosmicBeetle to represent the “space” and “scarab” connection. Spacecolon cases detected by ESET telemetry cover the whole world, with high prevalence in European Union countries such as Spain, France, Belgium, Poland and Hungary. ESET also detected high prevalence in Türkiye and Mexico. It looks like CosmicBeetle is preparing the distribution of the new ransomware ScRansom. In addition to installing ransomware after taking over servers, Spacelogon includes a wide variety of third-party tools that allow attackers to disable security products, steal sensitive information and gain further access.

Prevalence concentrates in Türkiye and Mexico

ESET researcher Jakub Souček explained: “We did not observe any similarity among the victims of Spacecolon, other than their vulnerability to the access methods used by CosmicBeetle. Nor did we find any patterns in the areas of focus of the targets or their size. But (by species and geography) to name a few. To put it simply, we have observed Spacecolon at a hospital and tourist resort in Thailand, an insurance company in Israel, a local government agency in Poland, an entertainment provider in Brazil, an environmental company in Turkey, and a school in Mexico. ”

CosmicBeetle is likely targeting web servers that are vulnerable to the ZeroLogon vulnerability, or those with RDP credentials that it can brute-force. Spacecolon can also provide operators with backdoor access. CosmicBeetle makes no appreciable effort to hide its malware and leaves numerous traces on compromised systems.

After CosmicBeetle takes over a vulnerable web server, it deploys ScHackTool, the main Spacecolon component it uses. Their attacks rely heavily on the tool’s GUI and the active participation of its operators. It allows them to download and run additional tools on the machine they infiltrate on demand as they see fit. If CosmicBeetle thinks the target is valuable, it can deploy ScInstaller and use it to install ScService, which provides more remote access. The last payload that CosmicBeetle distributed is a variant of the Scarab ransomware. This variant uses ClipBanker, a type of malware that internally monitors clipboard contents and replaces what it thinks might be a cryptocurrency wallet address with an attacker-controlled address.

If we look at the samples uploaded to VirusTotal from Turkey, a new ransomware family is being developed. ESET Research is almost certain that this new ransomware, called ScRansom, was written by the same developers as Spacecolon. ScRansom tries to encrypt all hard, removable and remote drives. ESET has not observed widespread distribution of this ransomware and appears to be still in development.