The threat actor known as Space Pirates has been linked to attacks against at least 16 organizations in Russia and Serbia over the past year by employing novel tactics and adding new cyber weapons to its arsenal.
“The cybercriminals’ main goals are still espionage and theft of confidential information, but the group has expanded its interests and the geography of its attacks,” Positive Technologies said in a deep dive report published last week.
Targets comprise government agencies, educational institutions, private security companies, aerospace manufacturers, agricultural producers, defense, energy, and healthcare firms in Russia and Serbia.
Space Pirates was first exposed by the Russian cybersecurity company in May 2022, highlighting its attacks on the aerospace sector in the nation. The group, believed to be active since at least late 2019, has links to another adversary tracked by Symantec as Webworm.
Positive Technologies’ analysis of the attack infrastructure has revealed the threat actor’s interest in harvesting PST email archives as well as making use of Deed RAT, a malware artifact exclusively attributed to the adversarial collective.
Deed RAT is said to be a successor to ShadowPad, which in itself is an evolution of PlugX, both of which are widely used by Chinese cyber espionage crews. Under active development, the malware comes in both 32- and 64-bit versions and is equipped to dynamically retrieve additional plug-ins from a remote server.
This includes a Disk plug-in to enumerate files and folders, execute commands, write arbitrary files to disk, and connect to network drives and a Portmap module that’s used for port forwarding.
Deed RAT also functions as a conduit to serve next-stage payloads such as Voidoor, a previously undocumented malware that’s is designed to contact a legitimate forum called Voidtools and a GitHub repository associated with a user named “hasdhuahd” for command-and-control (C2).
Voidtools is the developer of a freeware desktop search utility for Microsoft Windows called Everything, with its forum powered using an open-source forum software called MyBB. The primary goal of Voidoor is to login to the forum using hard-coded credentials and access the user’s personal messaging system to look for a folder matching a particular victim ID.
Evidence shows that the accounts on GitHub and voidtools were registered sometime in November 2022.
“The hackers are working on new malware that implements unconventional techniques, such as Voidoor, and modifying their existing malware,” Positive Technologies said, adding the actors use a “large number of publicly available tools for navigating networks” and leverage the Acunetix web vulnerability scanner to “reconnoiter infrastructures it targets.”