Focus Mode
Threat Research

Examining the Tools and Networks of a New Hacker Group

Securonix

Summary:

The report details the activities of a cybercriminal group dubbed “Space Pirates,” believed to have Asian roots, targeting Russian organizations, particularly in the aerospace sector. The group employs various malware families, including MyKLoadClient, Zupdax, and Deed RAT, utilizing sophisticated techniques for espionage and data theft. The report also highlights the group’s connections with other APT groups and their evolving malware toolkit.

Keypoints:

  • Space Pirates is suspected to have Asian origins, targeting Russian aerospace and government sectors.
  • Malware families used include MyKLoadClient, Zupdax, and Deed RAT, among others.
  • Phishing emails were the primary method of malware distribution.
  • At least two successful attacks resulted in significant data theft.
  • The group has connections with other APT groups, such as Winnti and TA428.
  • Malware employs various techniques for persistence, evasion, and data exfiltration.
  • Unique downloaders and backdoors specific to Space Pirates were identified.
  • Connections to compromised infrastructure and DDNS domains were noted.

MITRE Techniques

  • Initial Access (T1566.001): Uses phishing emails with malicious attachments.
  • Initial Access (T1566.002): Uses phishing emails with links to malware.
  • Execution (T1059.003): Features remote command shell functionality.
  • Execution (T1059.005): Uses VBS scripts, including ReVBShell.
  • Execution (T1106): Uses WinAPI functions to run new processes and implement shellcode.
  • Persistence (T1543.003): Creates malicious services for persistence on the host.
  • Privilege Escalation (T1548.002): Contains techniques for bypassing User Account Control (UAC).
  • Defense Evasion (T1027.001): Uses binary padding to obfuscate files.
  • Credential Access (T1003.001): Dumps LSASS process memory for credential harvesting.
  • Command and Control (T1071.001): Encapsulates its protocol in HTTP and HTTPS.

IoC:

  • [domain] microft.dynssl.com
  • [domain] micro.dns04.com
  • [ip address] 207.148.121.88
  • [ip address] 47.108.89.169
  • [ip address] 120.78.127.189
  • [ip address] 121.89.210.144
  • [url] news.flashplayeractivex.info
  • [url] update.flashplayeractivex.info
  • [url] bamo.ocry.com
  • [url] ruclient.dns04.com
  • [url] loge.otzo.com
  • [url] ftp.microft.dynssl.com
  • [file hash] 947f042bd07902100dd2f72a15c37e2397d44db4974f4aeb2af709258953636f
  • [file hash] 5847c8b8f54c60db939b045d385aba0795880d92b00d28447d7d9293693f622b

Full Research: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections

Tags: PRIVILEGE, APT, PERSISTENCE, GOVERNMENT, EXFILTRATION, DEFENSE EVASION, CREDENTIAL, PHISHING