Threat Research

Examining the Tools and Networks of a New Hacker Group

Securonix

The report attributes a series of espionage and data-theft operations against Russian aerospace and government organizations to a group named “Space Pirates,” likely of Asian origin. The group delivers a toolkit that includes MyKLoadClient, Zupdax, and Deed RAT via phishing and DDNS/compromised infrastructure to maintain persistence and exfiltrate data. #SpacePirates #MyKLoadClient

Keypoints

  • Space Pirates is likely of Asian origin and focuses on Russian aerospace and government targets.
  • The group uses a mix of custom and known malware families, notably MyKLoadClient, Zupdax, and Deed RAT.
  • Phishing (malicious attachments and links) is the primary initial-access vector for delivering payloads.
  • At least two intrusions led to significant data theft and long-term access via backdoors and downloaders.
  • Researchers identified ties and toolset overlaps with other APTs such as Winnti and TA428.
  • Malware employs persistence (malicious services), UAC bypass, binary obfuscation, LSASS dumping, and HTTP/HTTPS C2 channels.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Use of phishing emails with malicious attachments to gain initial access (‘Uses phishing emails with malicious attachments.’)
  • [T1566.002] Spearphishing Link – Use of phishing emails with links directing victims to malware (‘Uses phishing emails with links to malware.’)
  • [T1059.003] Windows Command Shell – Remote command shell functionality for executing commands on compromised hosts (‘Features remote command shell functionality.’)
  • [T1059.005] Visual Basic – Use of VBS scripts (including ReVBShell) to execute malicious actions (‘Uses VBS scripts, including ReVBShell.’)
  • [T1106] Native API – Use of WinAPI functions to spawn processes and run shellcode (‘Uses WinAPI functions to run new processes and implement shellcode.’)
  • [T1543.003] Create or Modify System Process: Windows Service – Creation of malicious services to maintain persistence (‘Creates malicious services for persistence on the host.’)
  • [T1548.002] Bypass User Account Control – Techniques included to bypass UAC for privilege escalation (‘Contains techniques for bypassing User Account Control (UAC).’)
  • [T1027.001] Obfuscated Files or Information: Binary Padding – Use of binary padding to obfuscate malicious files (‘Uses binary padding to obfuscate files.’)
  • [T1003.001] OS Credential Dumping: LSASS Memory – Dumping LSASS process memory to harvest credentials (‘Dumps LSASS process memory for credential harvesting.’)
  • [T1071.001] Application Layer Protocol: Web Protocols – Encapsulation of C2 traffic over HTTP/HTTPS (‘Encapsulates its protocol in HTTP and HTTPS.’)

Indicators of Compromise

  • [domain] C2/DDNS and infrastructure – microft.dynssl.com, micro.dns04.com (and other DDNS domains)
  • [ip address] Observed infrastructure IPs – 207.148.121.88, 47.108.89.169 (and 2 more IPs)
  • [url] Malicious/hosting URLs used in campaigns – news.flashplayeractivex.info, update.flashplayeractivex.info (and 4 more URLs)
  • [file hash] Malware payload hashes – 947f042bd07902100dd2f72a15c37e2397d44db4974f4aeb2af709258953636f, 5847c8b8f54c60db939b045d385aba0795880d92b00d28447d7d9293693f622b

Read more: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint