In a startling revelation, the notorious threat actor known as Space Pirates has been exposed for orchestrating attacks against 16 organizations across Russia and Serbia over the past year. Armed with novel tactics and a growing cyber arsenal, these cybercriminals have expanded their interests and geographical reach, posing a significant threat to government agencies, educational institutions, private security companies, aerospace manufacturers, agricultural producers, defense, energy, and healthcare firms in the targeted countries.
The deep dive report by Positive Technologies sheds light on Space Pirates’ primary objectives of espionage and theft of sensitive information. However, their nefarious activities have not remained confined to a single sector. Instead, they have ventured into diverse industries, raising the stakes for organizations in their crosshairs.
The origins of Space Pirates date back to late 2019, and since then, they have continuously evolved their tactics to remain a persistent and formidable adversary. The group’s connections with another notorious adversary, Webworm, as tracked by Symantec, add to the complexity of their threat landscape.
Positive Technologies’ meticulous analysis of the attack infrastructure has brought to light their interest in harvesting PST email archives, utilizing the Deed RAT—a potent malware artifact exclusively associated with Space Pirates.
Deed RAT, an evolutionary successor to ShadowPad and PlugX, is available in both 32- and 64-bit versions, equipped with the ability to fetch additional plug-ins dynamically from a remote server. Among its capabilities are the Disk plug-in, allowing the enumeration of files and folders, execution of commands, writing arbitrary files to disk, and connecting to network drives. Additionally, the Portmap module serves for port forwarding, enabling covert activities.
A worrisome aspect of Space Pirates’ operation is their deployment of Voidoor, a previously undocumented malware. Voidoor is specially designed to interact with a legitimate forum, Voidtools, developed by Voidtools for Microsoft Windows. By accessing the user’s personal messaging system and searching for a specific victim ID folder, Space Pirates maintains an insidious grip on their targets.
The accounts on GitHub and Voidtools, registered in November 2022, provide further evidence of their malicious intent.
Positive Technologies warns that Space Pirates are actively working on new malware, implementing unconventional techniques like Voidoor, while also modifying their existing malware. Their vast array of publicly available tools for network navigation, combined with the use of the Acunetix web vulnerability scanner, further underscores their sophistication and adaptability.
Organizations must remain vigilant and fortified against the Space Pirates’ cyber onslaught. Comprehensive security measures, regular vulnerability assessments, and proactive defense strategies are essential to protect against these malicious actors.
Stay informed and stay secure! Read the complete report by Positive Technologies for an in-depth understanding of Space Pirates’ threat landscape.