The threat actor known as Space Pirates has been linked to attacks against at least 16 organizations in Russia and Serbia over the past year by employing novel tactics and adding new cyber weapons to its arsenal.
“The cybercriminals’ main goals are still espionage and theft of confidential information, but the group has expanded its interests and the geography of its attacks,” Positive Technologies said in a deep dive report published last week.
Space Pirates was first exposed by the Russian cybersecurity company in May 2022, highlighting its attacks on the aerospace sector in the nation. The group, said to be active since at least late 2019, has links to another adversary tracked by Symantec as Webworm.
Deed RAT is said to be a successor to ShadowPad, which in itself is an evolution of PlugX, both of which are widely used by Chinese cyber espionage crews. Under active development, the malware comes in both 32- and 64-bit versions and is equipped to dynamically retrieve additional plug-ins from a remote server.
Deed RAT also functions as a conduit to serve next-stage payloads such as Voidoor, a previously undocumented malware that’s is designed to contact a legitimate forum called Voidtools and a GitHub repository associated with a user named “hasdhuahd” for command-and-control (C2).
Voidtools is the developer of a freeware desktop search utility for Microsoft Windows called Everything, with its forum powered using an open-source forum software called MyBB. The primary goal of Voidoor is to login to the forum using hard-coded credentials and access the user’s personal messaging system to look for a folder matching a particular victim ID.
“The hackers are working on new malware that implements unconventional techniques, such as Voidoor, and modifying their existing malware,” Positive Technologies said, adding the actors use a “large number of publicly available tools for navigating networks” and leverage the Acunetix web vulnerability scanner to “reconnoiter infrastructures it targets.”
Source: https://thehackernews.com/