Scarabs colon-izing vulnerable servers

Spacecolon is a Delphi-based toolset used by CosmicBeetle to deploy Scarab ransomware and provide backdoor access to compromised servers. The operators are active globally, rely on vulnerable web servers or RDP brute-forcing for initial access, and are developing ScRansom as a new ransomware family. #Spacecolon #Scarab

Keypoints

Spacecolon is a three-component framework (ScHackTool, ScInstaller, ScService) that orchestrates deployment of Scarab and optional third‑party tools.
CosmicBeetle compromises targets via vulnerable web servers or by brute-forcing RDP credentials, with ZeroLogon explicitly highlighted as a high‑confidence access method.
ScService acts as a backdoor enabling remote commands, payload downloads, system information collection, and optional Scarab deployment; the ransomware often drops a ClipBanker to monitor and alter cryptocurrency wallet addresses on the clipboard.
ScPatcher shows Spacecolon’ s unusual behavior: it can install Windows Updates (not malware) to close gaps after compromise.
ScHackTool’s GUI-driven approach uses a list.txt to dynamically pull and execute a broad set of on‑demand third‑party tools from the C2 server.
New ransomware variant ScRansom is being developed by the same Turkish‑speaking developer, but had not been observed in the wild at publication time.

MITRE Techniques

[T1595.002] Active Scanning: Vulnerability Scanning – CosmicBeetle looked for vulnerable servers as potential targets. “CosmicBeetle looked for vulnerable servers as potential targets.”
[T1583.001] Acquire Infrastructure: Domains – CosmicBeetle used various hosting providers to register domains. “CosmicBeetle used various hosting providers to register domains.”
[T1587.001] Develop Capabilities: Malware – CosmicBeetle developed its own malware. “CosmicBeetle developed its own malware.”
[T1587.003] Develop Capabilities: Digital Certificates – ScService and ScInstaller use a custom SSL certificate in TLS communications. “ScService and ScInstaller use a custom SSL certificate in TLS communications.”
[T1190] Exploit Public-Facing Application – ZeroLogon exploitation suspected as initial access method. “we assess with high confidence that CosmicBeetle abuses the CVE-2020-1472 (ZeroLogon) vulnerability.”
[T1059.003] Command and Scripting Interpreter: Windows Command Shell – Spacecolon operators execute commands via cmd.exe. “CosmicBeetle executed many commands using cmd.exe.”
[T1059.001] Command and Scripting Interpreter: PowerShell – ScHackTool uses PowerShell to perform various tasks. “PowerShell to perform various tasks.”
[T1059.005] Command and Scripting Interpreter: Visual Basic – Many downloaded tools are VBScripts. “Many of the additionally downloaded tools are VBScripts.”
[T1053.005] Scheduled Task: Scheduled Task – ScService utilizes scheduled tasks to execute payloads. “ScService utilizes scheduled tasks to execute payloads.”
[T1133] External Remote Services – Brute-forcing credentials and remote access via RDP. “External Remote Services” context: brute force/RDP access.
[T1078.003] Valid Accounts: Local Accounts – CosmicBeetle often creates its own administrator accounts. “Create or modify administrator accounts.”
[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Run/RunOnce persistence for ScHackTool and Scarab. “Run or RunOnce key for persistence.”
[T1218.005] System Binary Proxy Execution: Mshta – Scarab uses mshta.exe to perform tasks. “Mshta.exe to perform various tasks.”
[T1110.001] Brute Force: Password Guessing – CosmicBeetle brute forces passwords. “Brute force: Password Guessing.”
[T1110.003] Brute Force: Password Spraying – CosmicBeetle tests many passwords. “Brute Force: Password Spraying.”
[T1003.001] OS Credential Dumping: LSASS Memory – Tools capable of dumping lsass.exe. “LSASS Memory.”
[T1082] System Information Discovery – ScService fingerprinting the victim. “System Information Discovery.”
[T1016] System Network Configuration Discovery – ScService retrieves local network configuration. “System Network Configuration Discovery.”
[T1124] System Time Discovery – ScService retrieves system time. “System Time Discovery.”
[T1560.002] Archive Collected Data: Archive via Library – ZIP archiving before exfiltration. “Archive via Library.”
[T1115] Clipboard Data – ClipBanker replacing wallet addresses. “Clipboard Data.”
[T1071.001] Web Protocols – HTTPS communications to C2. “communicate via HTTPS.”
[T1095] Non-Application Layer Protocol – Old ScService TCP/IP protocol. “Non-Application Layer Protocol: TCP/IP.”
[T1571] Non-Standard Port – Local HTTP server on non-standard port 8347. “Run a local HTTP server on port 8347.”
[T1090.002] Proxy: External Proxy – ScService can be instructed to use an external proxy. “External Proxy.”
[T1041] Exfiltration Over C2 Channel – Data exfiltration to C2/server. “exfiltrates data to the C&C server.”
[T1486] Data Encrypted for Impact – Scarab ransomware encryption. “encrypt sensitive data.”
[T1561] Disk Wipe – Spacecolon tools wiping disks. “Disk wipe.”
[T1529] System Shutdown/Reboot – ScHackTool can reboot the system. “rebooting the system.”
[T1036.005] Masquerading: Match Legitimate Name or Location – Scarab processes masquerade as legitimate Windows processes. “Masquerading: Match Legitimate Name or Location.”
[T1218.005] System Binary Proxy Execution: Mshta – Reiterated: “Mshta to perform various tasks.”

Indicators of Compromise

[Filename] Spacecolon-related files – app.exe, Taskmgr.exe, ap.exe, and other Scarab/Spacecolon components (illustrative examples from the IoCs table).
[Domain] C2 domains – u.piii[.]net, up.awiki[.]org, update.inet2[.]org, and other Spacecolon domains.
[IP] C2/Hosting IPs – 3.76.107[.]228, 87.251.64[.]19, 87.251.64[.]57, 162.255.119[.]146, 193.149.185[.]23, and other listed addresses.
[SHA-1] Files – 40B8AF12EA6F89DB6ED635037F468AADEE7F4CA6, 1CB9320C010065E18881F0AAA0B72FC7C5F85956, EF911DB066866FE2734038A35A3B298359EDABCE, and other Spacecolon/Ioc’d samples.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print