ZeroLogon vulnerability opens doors for hackers again and increases risks for corporate servers.
ESET information security specialists have discovered a malicious set of software tools called Spacecolon. The toolkit is used to distribute variants of the Scarab ransomware around the world.
According to the study, Spacecolon penetrates organizations ' systems by exploiting web server vulnerabilities (such as Zerologon) or using brute-force methods to attack RDP (Remote Desktop Protocol) credentials.
Spacecolon attacks are registered all over the world, especially active in the countries of the European Union-Spain, France, Belgium, Poland and Hungary, as well as in Turkey and Mexico. It is noteworthy that some versions of Spacecolon contain strings in the code in Turkish, which indicates a possible Turkish origin of the developer.
Although the first versions of Spacecolon were released at least in May 2020, new campaigns are ongoing, with the most recent being compiled in May 2023. Despite careful analysis and tracking, ESET has not yet been able to determine whether the toolkit belongs to any known group of cybercriminals. As a result, the researchers decided to designate Spacecolon operators by the code name "CosmicBeetle".
Spacecolon consists of three main components written in the Delphi programming language: ScHackTool, ScInstaller, and ScService. The components allow CosmicBeetle to set up remote access, deploy additional tools, and even launch ransomware attacks.
CosmicBeetle's ultimate payload is a variant of the Scarab ransomware, which deploys ClipBanker, malware that intercepts clipboard content and modifies it as the attacker chooses.
During the analysis, ESET also discovered the development of a new family of ransomware called ScRansom. Presumably, it was created by the same developer as Spacecolon. ScRansom is designed to encrypt all hard, removable, and network drives using the AES-128 algorithm. Despite the fact that no active attacks using this software have been observed yet, researchers believe that ScRansom is still under development.
ESET information security specialists have discovered a malicious set of software tools called Spacecolon. The toolkit is used to distribute variants of the Scarab ransomware around the world.
According to the study, Spacecolon penetrates organizations ' systems by exploiting web server vulnerabilities (such as Zerologon) or using brute-force methods to attack RDP (Remote Desktop Protocol) credentials.
Spacecolon attacks are registered all over the world, especially active in the countries of the European Union-Spain, France, Belgium, Poland and Hungary, as well as in Turkey and Mexico. It is noteworthy that some versions of Spacecolon contain strings in the code in Turkish, which indicates a possible Turkish origin of the developer.
Although the first versions of Spacecolon were released at least in May 2020, new campaigns are ongoing, with the most recent being compiled in May 2023. Despite careful analysis and tracking, ESET has not yet been able to determine whether the toolkit belongs to any known group of cybercriminals. As a result, the researchers decided to designate Spacecolon operators by the code name "CosmicBeetle".
Spacecolon consists of three main components written in the Delphi programming language: ScHackTool, ScInstaller, and ScService. The components allow CosmicBeetle to set up remote access, deploy additional tools, and even launch ransomware attacks.
- ScHackTool acts as an orchestrator that manages the deployment of ScInstaller and ScService;
- ScInstaller is created exclusively for installing ScService;
- ScService functions as a backdoor, allowing CosmicBeetle to execute commands, download payloads, and collect information about the system.
CosmicBeetle's ultimate payload is a variant of the Scarab ransomware, which deploys ClipBanker, malware that intercepts clipboard content and modifies it as the attacker chooses.
During the analysis, ESET also discovered the development of a new family of ransomware called ScRansom. Presumably, it was created by the same developer as Spacecolon. ScRansom is designed to encrypt all hard, removable, and network drives using the AES-128 algorithm. Despite the fact that no active attacks using this software have been observed yet, researchers believe that ScRansom is still under development.
