![](https://news.europawire.eu/wp-content/uploads/2023/08/ESET-Research-Reveals-Turkish-Origin-CosmicBeetle-Group-Using-Spacecolon-Toolset-for-Ransomware-Deployment-and-Data-Theft-Globally.png)
ESET Research Reveals Turkish-Origin CosmicBeetle Group Using Spacecolon Toolset for Ransomware Deployment and Data Theft Globally
(IN BRIEF) ESET Research has conducted an analysis of the Spacecolon toolset, which is utilized to deploy Scarab ransomware variants globally. The toolset is believed to be of Turkish origin and is operated by a group named CosmicBeetle. Spacecolon’s primary function is to spread Scarab ransomware, but it also serves as a remote access trojan capable of stealing sensitive data. The operators target vulnerable web servers, possibly exploiting the ZeroLogon vulnerability or using brute force on RDP credentials. The group appears to be preparing the distribution of a new ransomware named ScRansom. Spacecolon incidents have been detected worldwide, with a focus on European countries, Turkey, and Mexico.
(PRESS RELEASE) BRATISLAVA/PRAGUE, 23-Aug-2023 — /EuropaWire/ — ESET Research has released its analysis of Spacecolon, a small toolset used to deploy variants of Scarab ransomware to victims all over the world. It likely penetrates victim organizations through operators compromising vulnerable web servers or via brute forcing RDP credentials. Several Spacecolon builds contain many Turkish strings; therefore, ESET believes it is written by a Turkish-speaking developer. ESET was able to track the origins of Spacecolon back to at least May 2020, and its campaigns are ongoing. ESET named Spacecolon’s operators CosmicBeetle to represent the link to “space” and “scarab.”
Spacecolon incidents identified by ESET telemetry encompass the globe, with high prevalence in European Union countries, such as Spain, France, Belgium, Poland, and Hungary; elsewhere, ESET has detected high prevalence in Turkey and Mexico. CosmicBeetle appears to be preparing the distribution of new ransomware — ScRansom. Post-compromise, along with installing ransomware, Spacecolon offers a large variety of third-party tools that allow the attackers to disable security products, extract sensitive information, and gain further access.
“We have not observed any pattern to Spacecolon’s victims besides them being vulnerable to the initial access methods employed by CosmicBeetle. Neither have we found any pattern among the targets’ areas of focus or size. However, to name a few (by type and geography), we have observed Spacecolon at a hospital and tourist resort in Thailand, an insurance company in Israel, a local governmental institution in Poland, an entertainment provider in Brazil, an environmental company in Turkey, and a school in Mexico,” says ESET researcher Jakub Souček, author of the analysis.
CosmicBeetle probably compromises web servers vulnerable to the ZeroLogon vulnerability or those with RDP credentials that it is able to brute force. Additionally, Spacecolon can provide backdoor access for its operators. CosmicBeetle doesn’t make any considerable effort to hide its malware and leaves plenty of artifacts on compromised systems.
After CosmicBeetle compromises a vulnerable web server, it deploys ScHackTool, the main Spacecolon component that CosmicBeetle uses. It relies heavily on its GUI and active participation of its operators; it allows them to orchestrate the attack, downloading and executing additional tools to the compromised machine on demand as they see fit. If the target is deemed valuable, CosmicBeetle can deploy ScInstaller and use it, e.g., to install ScService, which provides further remote access.
The final payload CosmicBeetle deploys is a variant of the Scarab ransomware. This variant internally deploys a ClipBanker, a type of malware that monitors the content of the clipboard and changes content that it deems likely to be a cryptocurrency wallet address to an attacker-controlled address.
Furthermore, a new ransomware family is being developed, with samples being uploaded to VirusTotal from Turkey. ESET Research believes with high confidence that it is written by the same developers as Spacecolon, and ESET has named it ScRansom. ScRansom attempts to encrypt all hard, removable, and remote drives. ESET has not observed this ransomware being deployed in the wild, and it appears to still be in a development stage.
For more technical information about Spacecolon and CosmicBeetle, check out the blogpost “Scarabs colon-izing vulnerable servers” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
About ESET
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure, and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter.
Media Contact:
Tel: +421 (2) 322 44 111
Fax: +421 (2) 322 44 109
Web: www.eset.com/int
SOURCE: ESET, spol. s r.o.
MORE ON ESET, ETC.:
- SWIFTT: A Copernicus-based forest management tool to map, mitigate, and prevent the main threats to EU forests
- WickedBet Unveils Exciting Euro 2024 Promotion with Boosted Odds
- Museum of Unrest: a new space for activism, art and design
- Digi Communications N.V. announces the conclusion of a Senior Facility Agreement by companies within Digi Group
- Digi Communications N.V. announces the agreements concluded by Digi Romania (formerly named RCS & RDS S.A.), the Romanian subsidiary of the Company
- Green Light for Henri Hotel, Restaurants and Shops in the “Alter Fischereihafen” (Old Fishing Port) in Cuxhaven, opening Summer 2026
- Digi Communications N.V. reports consolidated revenues and other income of EUR 447 million, adjusted EBITDA (excluding IFRS 16) of EUR 140 million for Q1 2024
- Digi Communications announces the conclusion of Facilities Agreements by companies from Digi Group
- Digi Communications N.V. Announces the convocation of the Company’s general shareholders meeting for 25 June 2024 for the approval of, among others, the 2023 Annual Report
- Digi Communications NV announces Investors Call for the presentation of the Q1 2024 Financial Results
- Digi Communications intends to propose to shareholders the distribution of dividends for the fiscal year 2023 at the upcoming General Meeting of Shareholders, which shall take place in June 2024
- Digi Communications N.V. announces the availability of the Romanian version of the 2023 Annual Report
- Digi Communications N.V. announces the availability of the 2023 Annual Report
- International Airlines Group adopts Airline Economics by Skailark ↗️
- BevZero Spain Enhances Sustainability Efforts with Installation of Solar Panels at Production Facility
- Digi Communications N.V. announces share transaction made by an Executive Director of the Company with class B shares
- BevZero South Africa Achieves FSSC 22000 Food Safety Certification
- Digi Communications N.V.: Digi Spain Enters Agreement to Sell FTTH Network to International Investors for Up to EUR 750 Million
- Patients as Partners® Europe Announces the Launch of 8th Annual Meeting with 2024 Keynotes and Topics
- driveMybox continues its international expansion: Hungary as a new strategic location
- Monesave introduces Socialised budgeting: Meet the app quietly revolutionising how users budget
- Digi Communications NV announces the release of the 2023 Preliminary Financial Results
- Digi Communications NV announces Investors Call for the presentation of the 2023 Preliminary Financial Results
- Lensa, един от най-ценените търговци на оптика в Румъния, пристига в България. Първият шоурум е открит в София
- Criando o futuro: desenvolvimento da AENO no mercado de consumo em Portugal
- Digi Communications N.V. Announces the release of the Financial Calendar for 2024
- Customer Data Platform Industry Attracts New Participants: CDP Institute Report
- eCarsTrade annonce Dirk Van Roost au poste de Directeur Administratif et Financier: une décision stratégique pour la croissance à venir
- BevZero Announces Strategic Partnership with TOMSA Desil to Distribute equipment for sustainability in the wine industry, as well as the development of Next-Gen Dealcoholization technology
- Digi Communications N.V. announces share transaction made by a Non-Executive Director of the Company with class B shares
- Digi Spain Telecom, the subsidiary of Digi Communications NV in Spain, has concluded a spectrum transfer agreement for the purchase of spectrum licenses
- Эксперт по торговле акциями Сергей Левин запускает онлайн-мастер-класс по торговле сырьевыми товарами и хеджированию
- Digi Communications N.V. announces the conclusion by Company’s Portuguese subsidiary of a framework agreement for spectrum usage rights
- North Texas Couple Completes Dream Purchase of Ouray’s Iconic Beaumont Hotel
- Предприниматель и филантроп Михаил Пелег подчеркнул важность саммита ООН по Целям устойчивого развития 2023 года в Нью-Йорке
- Digi Communications NV announces the release of the Q3 2023 Financial Results
- IQ Biozoom Innovates Non-Invasive Self-Testing, Empowering People to Self-Monitor with Laboratory Precision at Home
- BevZero Introduces Energy Saving Tank Insulation System to Europe under name “BevClad”
- Motorvision Group reduces localization costs using AI dubbing thanks to partnering with Dubformer
- Digi Communications NV Announces Investors Call for the Q3 2023 Financial Results
- Jifiti Granted Electronic Money Institution (EMI) License in Europe
- Предприниматель Михаил Пелег выступил в защиту образования и грамотности на мероприятии ЮНЕСКО, посвящённом Международному дню грамотности
- VRG Components Welcomes New Austrian Independent Agent
- Digi Communications N.V. announces that Digi Spain Telecom S.L.U., its subsidiary in Spain, and abrdn plc have completed the first investment within the transaction having as subject matter the financing of the roll out of a Fibre-to-the-Home (“FTTH”) network in Andalusia, Spain
- Продюсер Михаил Пелег, как сообщается, работает над новым сериалом с участием крупной голливудской актрисы
- Double digit growth in global hospitality industry for Q4 2023
- ITC Deploys Traffic Management Solution in Peachtree Corners, Launches into United States Market
- Cyviz onthult nieuwe TEMPEST dynamische controlekamer in Benelux, Nederland
- EU-Funded CommuniCity Launches its Second Open Call
- Astrologia pode dar pistas sobre a separação de Sophie Turner e Joe Jonas
- La astrología puede señalar las razones de la separación de Sophie Turner y Joe Jonas
- Empowering Europe against infectious diseases: innovative framework to tackle climate-driven health risks
- Montachem International Enters Compostable Materials Market with Seaweed Resins Company Loliware
- Digi Communications N.V. announces that its Belgian affiliated companies are moving ahead with their operations
- Digi Communications N.V. announces the exercise of conditional share options by an executive director of the Company, for the year 2022, as approved by the Company’s Ordinary General Shareholders’ Meeting from 18 May 2021
- Digi Communications N.V. announces the availability of the instruction regarding the payment of share dividend for the 2022 financial year
- Digi Communications N.V. announces the availability of the 2022 Annual Report
- Digi Communications N.V. announces the general shareholders’ meeting resolutions from 18 August 2023 approving amongst others, the 2022 Annual Accounts
- Русские эмигранты усиливают призывы «Я хочу, чтобы вы жили» через искусство
- BevZero Introduces State-of-the-Art Mobile Flash Pasteurization Unit to Enhance Non-Alcoholic Beverage Stability at South Africa Facility
- Russian Emigrés Amplify Pleas of “I Want You to Live” through Art
- Digi Communications NV announces the release of H1 2023 Financial Results
- Digi Communications NV Announces Investors Call for the H1 2023 Financial Results
- Digi Communications N.V. announces the convocation of the Company’s general shareholders meeting for 18 August 2023 for the approval of, among others, the 2022 Annual Report
- “Art Is Our Weapon”: Artists in Exile Deploy Their Talents in Support of Peace, Justice for Ukraine
- Digi Communications N.V. announces the availability of the 2022 Annual Financial Report
- “AmsEindShuttle” nuevo servicio de transporte que conecta el aeropuerto de Eindhoven y Ámsterdam
- Un nuovo servizio navetta “AmsEindShuttle” collega l’aeroporto di Eindhoven ad Amsterdam
- Digi Communications N.V. announces the conclusion of an amendment agreement to the Facility Agreement dated 26 July 2021, by the Company’s Spanish subsidiary
- Digi Communications N.V. announces an amendment of the Company’s 2023 financial calendar
- iGulu F1: Brewing Evolution Unleashed
- Почему интерактивная «Карта мира» собрала ключевые антивоенные сообщества россиян по всему миру и становится для них важнейшим инструментом
- Hajj Minister meets EU ambassadors to Saudi Arabia
- Online Organizing Platform “Map of Peace” Emerges as Key Tool for Diaspora Activists
- Digi Communications N.V. announces that conditional stock options were granted to executive directors of the Company based on the general shareholders’ meeting approval from 18 May 2021
- Digi Communications N.V. announces the release of the Q1 2023 financial results
- AMBROSIA – A MULTIPLEXED PLASMO-PHOTONIC BIOSENSING PLATFORM FOR RAPID AND INTELLIGENT SEPSIS DIAGNOSIS AT THE POINT-OF-CARE
- Digi Communications NV announces Investors Call for the Q1 2023 Financial Results presentation
- Digi Communications N.V. announces the amendment of the Company’s 2023 financial calendar
- Digi Communications N.V. announces the conclusion of two Facilities Agreements by the Company’s Romanian subsidiary
- Digi Communications N.V. announces the conclusion of a Senior Facility Agreement by the Company’s Romanian subsidiary
- Patients as Partners Europe Returns to London and Announces Agenda Highlights
- GRETE PROJECT RESULTS PRESENTED TO TEXTILE INDUSTRY STAKEHOLDERS AT INTERNATIONAL CELLULOSE FIBRES CONFERENCE
- Digi Communications N.V. announces Digi Spain Telecom S.L.U., its subsidiary in Spain, entered into an investment agreement with abrdn to finance the roll out of a Fibre-to-the-Home (FTTH) network in Andalusia, Spain
- XSpline SPA / University of Linz (Austria): the first patient has been enrolled in the international multicenter clinical study for the Cardiac Resynchronization Therapy DeliveRy guided by non-Invasive electrical and VEnous anatomy assessment (CRT-DRIVE)
- Franklin Junction Expands Host Kitchen® Network To Europe with Digital Food Hall Pioneer Casper
- Unihertz a dévoilé un nouveau smartphone distinctif, Luna, au MWC 2023 de Barcelone
- Unihertz Brachte ein Neues, Markantes Smartphone, Luna, auf dem MWC 2023 in Barcelona
- Editor's pick archive....