Scarabs Colon-izing Vulnerable Servers
Category

In this blogpost, ESET researchers take a look at Spacecolon, a small toolset used to deploy variants of the Scarab ransomware to victims all over the world. It probably finds its way into victim organizations by its operators compromising vulnerable web servers or via brute forcing RDP credentials.

Several Spacecolon builds contain a lot of Turkish strings; therefore we suspect a Turkish-speaking developer. We were able to track the origins of Spacecolon back to at least May 2020 and continue to see new campaigns at the time of writing, with the latest build compiled in May 2023. Despite this tracking and our detailed analysis of Spacecolon’s constituent tools, we cannot currently attribute its use to any known threat actor group. Therefore, we will call Spacecolon’s operators CosmicBeetle to represent the link to “space” and “scarab”.

Spacecolon consists of three Delphi components – internally known as HackTool, Installer, and Service, which will be referred to as ScHackTool, ScInstaller, and ScService in this blogpost. ScHackTool is the main orchestrator component, which allows CosmicBeetle to deploy the other two. ScInstaller is a small component with a single purpose: to install ScService. ScService acts as a backdoor, allowing CosmicBeetle to execute custom commands, download and execute payloads, and retrieve system information from compromised machines.

Besides these three components, Spacecolon’s operators rely heavily on a large variety of third-party tools, both legitimate and malicious, that Spacecolon makes available on demand.

While preparing this report for publication, we observed a new ransomware family being developed, with samples being uploaded to VirusTotal from Turkey. We believe with high confidence that it is written by the same developer as Spacecolon; therefore we’ll refer to it as ScRansom. Our attribution is based on similar Turkish strings in the code, usage of the IPWorks library, and the overall GUI similarity. ScRansom attempts to encrypt all hard, removable and remote drives using the AES-128 algorithm with a key generated from a hardcoded string. We have not observed ScRansom being deployed in the wild at the time of writing and we believe it is still in the development stage. The latest variant uploaded to VirusTotal is bundled inside an MSI installer, together with a small utility to delete Shadow Copies.

Key points of this blogpost:

  • CosmicBeetle operators probably compromise web servers vulnerable to the ZeroLogon vulnerability or those whose RDP credentials they are able to brute force.
  • Spacecolon provides, on demand, a large variety of third-party, red team tools.
  • CosmicBeetle has no clear targeting; its victims are all over the world.
  • Spacecolon can serve as a RAT and/or deploy ransomware; we have seen it delivering Scarab.
  • Spacecolon operators or developers appear to be preparing the distribution of new ransomware that we have named ScRansom.

Overview

The name Spacecolon was assigned by Zaufana Trzecia Strona analysts, who authored the first (and to our knowledge the only other) publication (in Polish) about the toolset. Building on top of that publication, ESET offers deeper insight into the threat. To avoid confusion, we will refer to the toolset as Spacecolon and to its operators as CosmicBeetle.

The attack scenario is as follows:

1.    CosmicBeetle compromises a vulnerable web server or simply brute forces its RDP credentials.

2.    CosmicBeetle deploys ScHackTool.

3.    Using ScHackTool, CosmicBeetle employs any of the additional third-party tools available on demand to disable security products, extract sensitive information, and gain further access.

4.    If the target is deemed valuable, CosmicBeetle can deploy ScInstaller and use it to install ScService.

5.    ScService provides further remote access for CosmicBeetle.

6.    Finally, CosmicBeetle may choose to deploy the Scarab ransomware through ScService or manually.

In several cases, we noticed ScService being deployed through Impacket rather than ScInstaller, with ScHackTool not used at all. We conclude that using ScHackTool as the initial component is not the only approach Spacecolon’s operators employ.

The final payload CosmicBeetle deploys is a variant of the Scarab ransomware. This variant internally also deploys a ClipBanker, a type of malware that monitors the content of the clipboard and changes content that it deems is likely to be a cryptocurrency wallet address to an attacker-controlled one.

Initial acces

ESET telemetry suggests that some targets are compromised via RDP brute forcing – this is further supported by the additional tools, listed in Appendix A – Third-party tools used by the attacker, available to Spacecolon operators. Besides that, we assess with high confidence that CosmicBeetle abuses the CVE-2020-1472 (ZeroLogon) vulnerability, based on a custom .NET tool described in the next section.

With low confidence, we assess that CosmicBeetle may also be abusing a vulnerability in FortiOS for initial access. We believe so based on the vast majority of victims having devices running FortiOS in their environment and that the ScInstaller and ScService components reference the string “Forti” in their code. According to CISA, three FortiOS vulnerabilities were amongst the top routinely exploited vulnerabilities in 2022. Unfortunately, we have no further details on such possible vulnerability exploitation besides these artifacts.

Closing the door behind you

On several occasions, ESET telemetry has shown Spacecolon operators executing a custom .NET payload that we will refer to here as ScPatcher. ScPatcher is designed to do nothing malicious. On the contrary: it installs chosen Windows Updates. The list of updates installed is illustrated in Table 1 and the corresponding code part of ScPatcher in Figure 1.

Table 1. List of Windows Updates installed by ScPatcher

Update ID

Platform

Comment

KB5005389

Windows 8

Addresses CVE-2021-33764.

KB4601357

Windows 8

Addresses ZeroLogon.

KB4601349

Windows 8.1

Addresses ZeroLogon.

KB4576750

Windows 10

No clear CVE connection.

KB955430

Windows Vista

Windows Server 2008

No clear CVE connection.

KB4571746

Windows 7

Windows Server 2008

No clear CVE connection.

KB5006749

Windows 7

Windows Server 2008

No clear CVE connection.

KB4601363

Windows 7

Windows Server 2008

Addresses ZeroLogon.

KB5005112

Windows 10

Windows Server 2019

No clear CVE connection.

Figure_01_UpdaterUrls

Figure 1. Part of ScPatcher code listing the selected Windows updates

ScPatcher also contains two functions designed to drop and execute:

·      update.bat, a small BAT script to alter Windows Automatic Updates settings, and

·      up.vbs, an almost identical copy of an official MSDN example script to download and install Windows Updates with the slight change of not accepting user input, but rather allowing the updates to proceed automatically and silently.

While these two functions are not referenced anywhere in the code, ESET telemetry shows Spacecolon operators executing both scripts directly through Impacket. The functions are illustrated in Figure 2 and Figure 3.

Figure_02_UpdateBat
Figure 2. ScPatcher code responsible for dropping and executing a BAT script to alter Automatic Windows Update settings
Figure_03_UpdateVbs
Figure 3. ScPatcher code responsible for dropping and executing a VBScript to download and install Windows Updates

Victimology

We have not observed any pattern in Spacecolon victims besides them being vulnerable to the initial access methods employed by CosmicBeetle. Figure 4 illustrates the Spacecolon incidents identified by ESET telemetry.

Figure_05_RansomMessage01
Figure 4. Distribution of Spacecolon victims

We have not found any pattern in the targets’ area of focus or size either. To name a few, we have observed Spacecolon at a hospital and a tourist resort in Thailand, an insurance company in Israel, a local governmental institution in Poland, an entertainment provider in Brazil, an environmental company in Turkey, and a school in Mexico.

Technical analysis

We first take a brief look at the ransomware variant Spacecolon deploys and then proceed with the analysis of Spacecolon components themselves.

Scarab ransomware

Scarab is Delphi-written ransomware. It contains notable code overlaps with the Buran and VegaLocker families. It relies on an embedded configuration whose format is almost identical to that of the Zeppelin ransomware. That configuration determines, among other things, the file extension for encrypted files, filenames, list of file extensions of files to encrypt, and the ransom message.

The vast majority of Scarab builds we have encountered drop and execute an embedded Delphi-written ClipBanker that monitors the clipboard content and replaces any string resembling a cryptocurrency wallet with an attacker-controlled one, specifically one of the following:

·      1HtkNb73kvUTz4KcHzztasbZVonWTYRfVx

·      qprva3agrhx87rmmp5wtn805jp7lmncycu3gttmuxe

·      0x7116dd46e5a6c661c47a6c68acd5391a4c6ba525

·      XxDSKuWSBsWFxdJcge8xokrtzz8joCkUHF

·4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQnt2yEaJRD7Km8Pnph

·      t1RKhXcyj8Uiku95SpzZmMCfTiKo4iHHmnD

We were able to conclusively link Spacecolon with at least two Scarab builds utilizing .flycrypt and .restoreserver extensions for encrypted files – CosmicBeetle attempted to execute these builds on machines that had been compromised by Spacecolon shortly beforehand. Both builds follow the same file-naming patterns – the ransomware runs as %APPDATA%osk.exe and the embedded ClipBanker as %APPDATA%winupas.exe. This naming holds special importance for Spacecolon, as ScHackTool expects two such named processes to be running. Supposing this naming pattern is closely tied to Spacecolon, more than 50% of Scarab configurations shown by ESET telemetry may be related to Spacecolon. The ransom messages for the two conclusively linked samples are illustrated in Figure 5 and Figure 6.

Figure 5
Figure 5. Scarab ransom message for the .flycrypt variant
Figure_06_RansomMessage02
Figure 6. Scarab ransom message for the .restoreserver variant

ScHackTool

ScHackTool is the main Spacecolon component used by its operators. It relies heavily on its GUI and the active participation of its operators; it allows them to orchestrate the attack, downloading and executing additional tools to the compromised machine on demand as they see fit.

From here on, we will refer to multiple GUI components in the same way as they are defined by the Delphi programming language – Labels, TextBoxes, GroupBoxes, etc.

ScHackTool employs a neat anti-emulation trick. When executed, a fake error message pops up (see Figure 7). If the “OK” button is clicked, ScHackTool terminates. One needs to double-click on the “g” in the word “reinstalling” (highlighted in red) to actually display the main window.

Figure_07_Smokescreen
Figure 7. Fake error message displayed when ScHackTool is executed

Before the main window is displayed, ScHackTool obtains a text file, list.txt, from its C&C server. This file defines what additional tools are available, their associated names, and URLs from which to download them. An example of such a file is shown in Figure 8. All Spacecolon components, including ScHackTool, use the IPWorks library for network communication.

CAT|TOOLS
Defender#https://193.149.185.23/tools/def.zip#folder
Portable#https://193.149.185.23/tools/Portable.zip#folder
Spacemonger#https://193.149.185.23/tools/SpaceMonger.zip#folder
Eraser#https://193.149.185.23/tools/EraserPortable.zip#folder
Nmap#https://193.149.185.23/tools/nmap-7.92-setup.zip#folder
Disk Tools#https://193.149.185.23/tools/disktools.zip#folder
Netscan#https://193.149.185.23/tools/netscan.zip#folder
APS#https://193.149.185.23/tools/APS.zip#folder
SuperScan#https://193.149.185.23/tools/superscan.zip#folder
Autoruns#https://193.149.185.23/tools/AutorunsPortable.zip
uLow Level#https://193.149.185.23/tools/HDDLLF.4.40.zip#folder
Avfucker#https://193.149.185.23/tools/avfucker.zip#folder
Veracrypt#https://193.149.185.23/tools/VeraCryptPortable.zip#folder
Dcrypt#https://193.149.185.23/tools/dcrypt_setup_1.2_beta_3_signed.zip#folder
Afterwork#https://193.149.185.23/tools/_AfterWork.zip#folder
BAT#https://193.149.185.23/tools/BAT.zip#folder
CAT|PRIV
NirsoftPass#https://193.149.185.23/tools/pass/passrecenc.zip#folder
IObitUnlocker#https://193.149.185.23/tools/IObitUnlockerPortable.zip
Mimikatz#https://193.149.185.23/tools/priv/mimikatz_trunk.zip#folder
AutoMimikatz#https://193.149.185.23/tools/priv/mimiauto.zip
AccountRestore#https://193.149.185.23/tools/priv/Accountrestore.zip
Bruter 1.1#https://193.149.185.23/tools/priv/Bruter_1.1.zip#folder
NL#https://193.149.185.23/tools/priv/nl.zip#folder
WORDLIST#https://193.149.185.23/tools/wl.zip#folder
Advrun#https://193.149.185.23/tools/priv/advancedrun-x64.zip#folder
WPR#https://193.149.185.23/tools/pass/wpr_setup.zip#folder
EPDR#https://193.149.185.23/tools/pass/epdr.zip#folder
NPRW#https://193.149.185.23/tools/pass/nprw.zip#folder
Card Recon#https://193.149.185.23/tools/pass/cardrecon.zip#folder
Radmin Bruter#https://193.149.185.23/tools/priv/radminbrute.zip#folder
Pstools#https://193.149.185.23/tools/priv/PSTools.zip#folder
RDP Recognizer#https://193.149.185.23/tools/pass/rdprecognizer.zip#folder
PWRPISO#https://193.149.185.23/tools/pass/PRWP.zip#folder
CAT|RAAG
USBView#https://193.149.185.23/tools/usbdeview-x64.zip#folder
LastActivityViewer#https://193.149.185.23/tools/LastActivityView.zip#folder
Pview#https://193.149.185.23/tools/pwd_view.zip#folder
NGROK#https://193.149.185.23/tools/r/ngrok.zip
AGENT#https://193.149.185.23/tools/agent.zip#folder
SUB|Sniffer
Fiddler Sniffer#https://193.149.185.23/tools/sniffer/FiddlerSetup.zip#folder
CAIN#https://193.149.185.23/tools/priv/ca_setup.zip#folder
Interceptor#https://193.149.185.23/tools/sniffer/Intercepter-NG.v1.0+.zip#folder
CAT|Others
MREMOTE#https://193.149.185.23/tools/other/mRemoteNG-Portable-1.76.20.24669.zip#folder
Vmware VRC#https://193.149.185.23/tools/vmrc.zip#folder
Winlogon#https://193.149.185.23/tools/winlogonview.zip
Filezilla Portable#https://193.149.185.23/tools/FileZillaPortable.zip
Sqlmanager Mini#https://193.149.185.23/tools/pass/sqlmanager.zip
SMM#https://193.149.185.23/tools/SSMS-Setup-ENU.zip#folder
Dbbrowser#https://193.149.185.23/tools/pass/dbbrowser.zip
VCJRENET#https://193.149.185.23/tools/other/VCJRE.zip#folder
Chrome#https://193.149.185.23/tools/GoogleChromePortable.zip#folder
Winrar#https://193.149.185.23/tools/winrar.zip#folder
7z#https://193.149.185.23/tools/other/7z.zip#folder
SUB|Exploit
Metasploit#https://193.149.185.23/tools/exploit/metasploitframework-latest.zip

Figure 8. An example of the list.txt file that ScHackTool uses to set up additional tools

Before explaining the process of parsing this file, let us briefly introduce ScHackTool’s GUI. It consists of three main tabs (Download, Tools, and MIMI Dump) and a bottom panel shared among all three of them. Since the Download tab is populated by the result of the parsing process, let’s introduce it first alongside the parsing logic.

Download tab

This tab is populated by buttons that give the operators the ability to download and execute additional tools. All these tools are available as password-protected ZIP archives (password: ab1q2w3e!). All of them are downloaded to ./zip/<ARCHIVE_NAME> and extracted into ./<ARCHIVE_NAME_WITHOUT_ZIP>/. The downloaded archives are not removed by ScHackTool.

What additional tools are available is defined by the aforementioned list.txt file. The parsing of this file is fairly straightforward. It is read line by line. If a line looks like CAT|<NAME> (probably short for “Category”), then a new GroupBox named <NAME> is created and all following entries are associated with it. Similarly, if a line looks like SUB|<NAME> (likely short for “Subcategory”), then a new horizontal Label named <NAME> is added to the current category.

All other lines are considered to be actual entries. The line is split by # into two or three items:

1.      the tool name,

2.      the URL used to retrieve the tool, and

3.      an optional suffix.

For every entry, a button titled as the tool name is created. Additionally, if the optional suffix is a folder, an additional button titled AC is created; this button simply opens Windows Explorer at the tool’s extracted location.

If the list.txt file is not available, the malware quits. Additionally, if Spacecolon operators request a tool that is defined in list.txt, but is not available on the associated URL, the ScHackTool process gets stuck and stops responding.

As you can see in Figure 9, one or two buttons are created for each tool. TOOLS, PRIV, RAAG, and Others (highlighted in red) represent the categories, and Sniffer and Exploit (highlighted in blue) are the subcategories. A list of all the available additional tools alongside their descriptions are listed in Appendix A – Third-party tools used by the attacker.

Figure_09_AvailableTools
Figure 9. The Download tab listing additional tools available to download from the C&C server

Tools tab

One might be keen to think that this is the main tab, but it in fact is not. Surprisingly, most of the buttons do nothing (their associated OnClick functions are empty). Historically, we know these buttons did work, but over time, their functionality has been removed. We provide an overview of the no-longer-functioning buttons later in the blogpost. Figure 10 illustrates the GUI and Table 2 summarizes the functionality of working buttons.

Figure_10_ToolsTab
Figure 10. Tools tab of ScHackTool

Table 2. List of functional buttons in the Tools tab

Button

Comment

Keyboard EN

Change the user language settings. This is done by executing a PowerShell script (task.ps1) through a BAT script (a.bat). The specific PowerShell commands executed are:

·      $LanguageList = Get-WinUserLanguageList

·      $LanguageList.Add(“en-US”)

·      Set-WinUserLanguageList $LanguageList -force

Kill OSK

Execute taskkill.exe /f /im osk.exe. As mentioned earlier, this is the filename under which the Scarab ransomware is executed.

Winup

Execute taskkill.exe /f /im winupas.exe. As mentioned earlier, this is the filename under which the ClipBanker (associated with the Scarab ransomware) is executed.

Cobian UI Pass

Execute Cobian UI Pass, a freeware backup tool, while removing its configuration first. Note that this tool is not downloaded by Spacecolon. The process consists of just these two steps:

·      Delete C:Program Files (x86)Cobian Backup 11SettingscbEngine.ini

·      Execute C:Program Files (x86)Cobian Backup 11cbInterface.exe

Add

Add a new account with administrative rights. Username and password are specified in the TextBoxes to the left (highlighted in red).

PW GEN

Generate a random alphanumeric string in the TextBox to the left (length is specified in the TextBox under it). Highlighted in green.

Dec

Decrypt a hardcoded string and display it in the TextBox labeled Str. Highlighted in purple.

Note: The Enc button does nothing.

Earlier we stated that the deployed Scarab ransomware and its associated ClipBanker are named osk.exe and winupas.exe. As is obvious from Table 2, the two associated buttons can be used to terminate those processes.

The area highlighted in pink is filled in when ScHackTool launches. However, no actual machine information is retrieved; Spacecolon operators need to fill it in manually.

MIMI Dump tab

The functionality in this tab used to be part of the Tools tab, but was eventually moved to a separate tab. Once again, some of the buttons do not work. The UI is illustrated in Figure 11, and Table 3 summarizes the functionality of the working buttons.

Figure_11_MimiDumpTab
Figure 11. MIMI Dump tab of the ScHackTool

Table 3. List of functional buttons in the MIMI Dump tab

Button

Comment

Send

Upload a file to the C&C server.

The steps are:

1.      Take the file from the TextBox labeled Dump.

2.    Create a copy and name it lsa.file (or lsass.dmp in older builds).

3.    Store this file into dump.zip.

4.    Upload dump.zip to the C&C server.

5.    Open a file named lastlog.txt in Notepad.

°      The file is probably created by the underlying IPWorks library that implements the transfer.

Parse

Download two text files from the C&C server and paste one into the User and the other into the Pass TextArea.

Downloaded

Show a MessageBox with the list of tools already downloaded to the machine (see Figure 12).

Figure_12_InstalledToolsMsgBox
Figure 12. The MessageBox that lists all the tools already available on the compromised system when the Downloaded button is clicked

The name of this tab would suggest that it is closely tied to the infamous password and credential-extracting tool Mimikatz, but in fact it is not. While the file that is sent back to the Spacecolon C&C is named to suggest a lsass.exe dump, the file must be created manually by the operators, and it can be any arbitrary file. Similarly, the downloaded usernames and passwords are not utilized in any way unless copied by the operators.

However, Mimikatz is part of the set of additional tools provided by Spacecolon (see Appendix A – Third-party tools used by the attacker).

Bottom panel

The bottom panel, shared among all three tabs, allows CosmicBeetle to schedule a system restart, remove Spacecolon from the system, and access PortableApps, one of the additional tools. The Download and Zip progress bars correspond to the download and tool archive extraction progress, respectively. An overview of the buttons’ functionality is provided in Table 4.

Table 4. List of the buttons in the bottom panel shared between the three tabs, and their functionalities

Button

Comment

OPEN

Execute ./Portable/start.exe.

CLOSE

Execute

·      taskkill.exe /f /im PortableAppsPlatform.exe

·      taskkill.exe /f /im nl.exe

·      taskkill.exe /f /im advanced_port-scanner.exe

DELETE

Remove all files and folders recursively from the application’s location. Also execute taskkill.exe /f /im PortableAppsPlatform.exe.

Folder

Open Windows’ File Explorer in the application’s location.

R

Schedule a system restart.

A

Abort scheduled system restart.

String encryption

ScHackTool encrypts strings with a simple algorithm – we provide the decryption routine implemented in Python in Figure 13. Not all of the strings are encrypted, though with newer builds, the number of protected strings increases.

def decrypt_string(s: str, key: str) -> str:
    dec = ""
    for b in bytearray.fromhex(s):
        dec += chr(b ^ (key >> 8))
        key = (0xD201 * (b + key) + 0x7F6A) & 0xFFFF
 
    return dec

Figure 13. String decryption routine for SCHackTool strings

ScHackTool buttons – a trip back in time

ScHackTool is definitely the component that has undergone the most changes. The oldest build we were able to find is from 2020 and uses TicsDropbox for communication with its C&C server. At that time, instead of the fake error message, a password protection mechanism (see Figure 14) was in place (password: dd1q2w3e).

Figure_14_LoginUI
Figure 14. Password-protection window in an old variant of ScHackTool

Weirdly, with each new version, some buttons stopped working (their code was completely removed). By being able to peek into these older builds, we can learn the functionality of the no-longer-functional buttons, which are listed in Table 5.

Table 5. A list of button functionalities based on analysis of older builds

Button

Comment

Keyboard EN

Used to be named Keyboard TR with the obvious change in functionality.

DEFENDER OFF

Used to drop and execute scripts from the .rsrc section. These scripts are now part of the BAT and Avfucker additional tools listed in Appendix A – Third-party tools used by the attacker.

Stop Service

Used to drop and execute a script to terminate services and processes. This script is now part of the BAT additional tool, and the list of services and processes is provided in Appendix B – List of terminated Processes and services.

Kill All (Default)

Used to kill all processes contained inside a hidden list of the Delphi form structure. While the code is no longer present, the list is and is presented in Appendix C – Processes killed by Kill All (Default) button.

Del Shadow Log

Used to drop and execute scripts to delete Shadow Copies, delete Windows Event Logs, and modify boot options. These scripts are now part of the BAT tool listed in Appendix A – Third-party tools used by the attacker.

Recent Files

Used to drop and execute a small script that removes all files located at:

·      %APPDATA%MicrosoftWindowsRecentAutomaticDestinations*

·      %APPDATA%MicrosoftWindowsRecentCustomDestinations*

·      %APPDATA%MicrosoftWindowsRecent*

Credssp

Used to modify the settings of the Credential Security Support Provider (CredSSP) by issuing the following command (probably to overcome potential RDP connection issues):

reg add “HKLMSoftwareMicrosoftWindowsCurrentVersion
PoliciesSystemCredSSPParameters” /f /v AllowEncryptionOracle /t REG_DWORD /d 2

Button5

Encrypt a hardcoded URL and paste it to the Edit1 TextBox. This button is probably a predecessor of the Enc and Dec buttons. Strangely, the Dec button currently works while Enc does not.

Button20

Close the fake error message displayed on startup. This behavior is very strange, as at the point when the button could be clicked, the error message no longer exists. Indeed, clicking this button causes ScHackTool to crash.

ScInstaller

ScInstaller is a very small Delphi tool designed to do a single task: install ScService. ScService is stored in ScInstaller’s .rsrc section, encrypted with the AES algorithm using a key derived from the password TFormDropbox.btnUploadClick.

ScInstaller is part of the additional tools the attacker may or may not utilize, specifically the one named AGENT (see Appendix A – Third-party tools used by the attacker). Despite the newest observed build coming from 2021, that build is still part of the toolset at the time of writing. However, we have observed ScService installed manually through Impacket, and, while we have observed new builds of ScService, we have seen no new builds of ScInstaller. This may suggest ScInstaller is no longer actively used.

The earlier variants of ScInstaller simply installed and ran ScService on execution. The more recent variants come with a GUI (see Figure 15). ScService is installed only if the Install button is clicked.

Figure_15_InstallerUI
Figure 15. ScInstaller GUI

They also come with a few additional features. The Check button at the bottom verifies whether ScService is installed and retrieves the service status. The Check button at the top left is used to check connectivity to four hardcoded C&C servers (no actual data is exchanged). ScInstaller also drops its own TLS certificate in a PFX file named cert.pfx or cdn.pfx and protected by the password dd1q2w3e. This certificate is used when connecting to the C&C server(s).

TextBoxes labeled Forti IP and Not are used to create a small INI file with two entries – Data and Note, filled by those two values, respectively. This INI file is merely used by CosmicBeetle to store custom notes about the victim. It plays a minor role in C&C communication described in the next section.

ScService

In March 2023, possibly as the result of the Zaufana Trzecia Strona analysis published in early February 2023, ScService underwent a notable development change. Let’s first look at its earlier variant and then discuss the 2023 changes.

ScService, as the name suggests, is a component run as a Windows service and acts as a simple backdoor. The service parameters are shown in Table 6. The service description was taken from the official legitimate Windows Sensor Monitoring Service.

Table 6. ScService parameters

Parameter

Value

DisplayName

Server storage monitoring service

ServiceName

UpdateStorServ

Description

Monitors various sensors in order to expose data and adapt to system and user state. If this service is stopped or disabled, the display brightness will not adapt to lighting conditions. Stopping this service may affect other system functionality and features as well.

As with ScInstaller, ScService also drops a custom TLS certificate, identical to the one used by ScInstaller. If the INI file (created by ScInstaller) is not present, one with empty values is created.

Once launched, ScService creates three timers, one each that:

1.      sends a KEEP message to the C&C server every 10 seconds,

2.      flushes the DNS cache every five hours by executing ipconfig /flushdns, and

3.      connects to the C&C server every five minutes.

Figure 16 demonstrates the use of the custom certificate when establishing a connection to the C&C server. ScService uses multiple C&C servers, all hardcoded and encrypted in the binary.

Figure_16_CertificateUsage
Figure 16. Use of custom certificate upon connecting to the C&C server

Aside from establishing a TLS connection, ScService communicates with the C&C server via TCP on port 443. The protocol is very straightforward; no additional encryption is employed. Once ScService receives data, it scans the data for known command names and executes any such command, optionally sending back a response. ScService recognizes the six commands shown in Table 7. Command name and its parameters are delimited by #. In short, ScService can execute arbitrary commands and executables, open and close an SSH tunnel, obtain machine info, and update the INI file.

Table 7. TCP/IP commands capability

Command

Response

Comment

CMD#<CMD_TO_EXEC>

RESULT#CMD#<CMD_TO_EXEC_RESULT>

Execute <CMD_TO_EXEC> via cmd.exe.

DETAILS#GET

RESULT#DETAILS#<OS>#<UPTIME>#<REMOTE_HOST>#<INI_CONTENT>

Upload compromised machine info:

·      <OS> = OS name

·      <UPTIME> = Uptime (retrieved via the GetTickCount API)

·      <REMOTE_HOST> = The C&C server it is connected to

·      <INI_CONTENT> = Content of the INI file

SETNOTE#<NOTE>

N/A

Set <NOTE> as the content of the Note field in the INI file.

TUNNEL#<HOST>#<PORT>#<USER>#<PWD>#<SRC_PORT>#<DST_PORT>

OK : TUNNEL

Opens an SSH tunnel to the compromised machine for the attacker. Connects to a destination via SSH implemented by TScSSHClient. Connects to <HOST> at <PORT> using username <USER> and password <PASS> and instructs <HOST> to listen on <SRC_PORT> and forward the communication. It seems that <DST_PORT> is not used properly.

DISCONNECT

N/A

Disconnect the connection set up by the TUNNEL command.

DOWNEXEC#<URL>#<FILE>#<FLAG>

N/A

Download from <URL> to <FILE>. If <FLAG> equals 1, execute the <FILE>.

March 2023 redesign

As we already hinted, ScService underwent a notable change in March 2023. First of all, the service parameters changed slightly, keeping a similar pattern (see Table 8).

Table 8. Updated ScService parameters

Parameter

Value

DisplayName

Diagnostic Event System

ServiceName

StorageDataServ

Description

The Diagnostic Event System is used by the Diagnostic Policy Service to event diagnostics that need to run in a Local Service context.

The way that compromised machine info is obtained changed. ScService runs a local HTTP server on port 8347 accepting a single request – /status. ScService then issues this request to the server. The handling of this request is simple: it retrieves machine information and returns it as the content of the HTTP response. The data is formatted in a way that it can be stored in an INI file – which is precisely what happens: ScService stores the content into its INI file. The collected information is:

·      OS = operating system name

·      CN = computer name

·      DO = user domain

·      LIP = local IP addresses

Many (not all) strings are now encrypted using the AES-CBC algorithm with a key derived from the password 6e4867bb3b5fb30a9f23c696fd1ebb5b.

The C&C protocol changed. Interestingly, the original C&C communication protocol remains implemented, but is only used when instructed by the CONNECT command (see below) to communicate with a target. The new main C&C protocol uses HTTP instead of TCP. The following HTTP headers are used:

·      User-Agent = Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0

·      UNID = hexlified MD5 hash of MAC address and C: drive serial number

Additionally, a Session cookie is added with its value being the previously collected machine information stored as OS, CN, DO, and LIP, joined by # and encoded by base64.

Commands are in JSON format (see Figure 17 below).

{
    “Status”: “TASK”,
    “CMD”: “<COMMAND_NAME>”,
    “Params”: “<COMMAND_PARAMS_STR>”,
    “TaskID”: “<TASK_ID>”
}

 

Figure 17. Example of JSON-formatted command

The Status field is always equal to TASK, while the CMD and Params fields define the command name and parameters. Finally, the TaskID value is used to send the task result, if any, to the C&C server. Supported commands are listed in Table 9.

Table 9. HTTP(S) commands capability of ScService

Command

Parameters

Comment

CONNECT

<HOST>:<PORT>

Connect to a C&C server. Utilizes the old TCP communication protocol.

TUNNEL

<HOST>#<PORT>#<USER>#<PWD>#<SRC_PORT>#<DST_PORT>

The same as in TCP variant.

TUNNELCLOSE

N/A

The same as DISCONNECT in TCP variant.

DOWNEXEC

<FLAG>#<URL>#<FILE>

The same as in TCP variant (note that the arguments’ order has changed).

USERADD

<USERNAME>#<PASSWORD>

Add a new administrator account with given username and password.

Conclusion

In this blogpost, we have analyzed Spacecolon, a small Delphi toolset used to push the Scarab ransomware to vulnerable servers and its operators we call CosmicBeetle. Additionally, Spacecolon can provide backdoor access for its operators.

CosmicBeetle doesn’t make much effort to hide its malware and leaves plenty of artifacts on compromised systems. Little to no anti-analysis or anti-emulation techniques are implemented. ScHackTool relies heavily on its GUI, but, at the same time, contains several nonfunctional buttons. CosmicBeetle operators use ScHackTool mainly to download additional tools of choice to compromised machines and run them as they see fit.

Spacecolon has been in active use since at least 2020 and is under ongoing development. We believe the authors made a substantial effort to try to evade detection in 2023, after the Zaufana Trzecia Strona publication came out.

CosmicBeetle does not choose its targets; rather, it finds servers with critical security updates missing and exploits that to its advantage.

At the time of publication, we observed a new ransomware family, which we have named ScRansom, that is very likely written by the developer of the Spacecolon components. We have not seen ScRansom being deployed in the wild as of this writing.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

Files

 

SHA-1

Filename

Detection

Description

40B8AF12EA6F89DB6ED635037F468AADEE7F4CA6

app.exe

Win32/Spacecolon.A

Spacecolon HackTool.

1CB9320C010065E18881F0AAA0B72FC7C5F85956

Taskmgr.exe

Win32/Spacecolon.A

Spacecolon HackTool.

EF911DB066866FE2734038A35A3B298359EDABCE

ap.exe

Win32/Spacecolon.A

Spacecolon HackTool.

0A2FA26D6EAB6E9B74AD54D37C82DEE83E80BDD7

ap.exe

Win32/Spacecolon.A

Spacecolon HackTool.

B916535362E2B691C6AEF76021944B4A23DDE190

ap.exe

Win32/Spacecolon.A

Spacecolon HackTool.

95931DE0AA6D96568ACEBC11E551E8E1305BF003

a.exe

Win64/Spacecolon.A

Spacecolon Installer.

6700AFB03934B01B0B2A9885799322307E3299D5

installer.exe

Win64/Spacecolon.A

Spacecolon Installer.

4B07391434332E4F8FAADF61F288E48389BCEA08

svcss.exe

Win64/Spacecolon.A

Spacecolon Service.

B9CF8B18A84655D0E8EF1BB14C60763CEFFF9686

svvc.exe

Win64/Spacecolon.A

Spacecolon Service.

E2EAA1EE0B51CAF803CEEDD7D3452577B6FE7A8D

1new.exe

Win32/Filecoder.FS

Scarab ransomware (.danger variant).

8F1374D4D6CC2899DA1251DE0325A7095E719EDC

kkk.exe

Win32/Filecoder.FS

Scarab ransomware (.rdprecovery variant).

2E4A85269BA1FDBA74A49B0DF3397D6E4397DB78

Analyzer_sib.msi

Win64/DelShad.D

MSI installer of ScRansom

7AA1A41F561993C4CCA9361F9BAEF2B00E31C05D

Project1.exe

Win32/Filecoder.Spacecolon.A

ScRansom

7BC7EEAAF635A45BC2056C468C4C42CC4C7B8F05

Shadow.exe

Win64/DelShad.D

Utility to delete Shadow Copies

Network

IP

Domain

Hosting provider

First seen

Details

N/A

u.piii[.]net

Cloudflare

2022-01-25

Spacecolon C&C server.

3.76.107[.]228

N/A

AWS

2023-01-16

Spacecolon C&C server.

87.251.64[.]19

N/A

XHOST INTERNET SOLUTIONS

2021-11-08

Spacecolon C&C server.

87.251.64[.]57

up.awiki[.]org

XHOST INTERNET SOLUTIONS

2021-12-11

Spacecolon C&C server.

87.251.67[.]163

ss.688[.]org

XHOST INTERNET SOLUTIONS

2023-02-27

Spacecolon C&C server.

162.255.119[.]146

akamaicdnup[.]com

Namecheap, Inc.

2023-02-24

Spacecolon C&C server.

185.170.144[.]190

b.688[.]org

XHOST INTERNET SOLUTIONS

2021-11-21

Spacecolon C&C server.

185.202.0[.]149

sys.688[.]org

Internet Technologies LLC

2020-12-16

Spacecolon C&C server.

193.37.69[.]152

update.inet2[.]org

XHOST INTERNET SOLUTIONS

2023-03-03

Spacecolon C&C server.

193.37.69[.]153

up.vctel[.]com

u.cbu[.]net

update.cbu[.]net

XHOST INTERNET SOLUTIONS

2021-12-11

Spacecolon C&C server.

193.149.185[.]23

N/A

BL Networks

2023-05-31

Spacecolon C&C server.

206.188.196[.]104

cdnupdate[.]net

BL Networks

2023-01-16

Spacecolon C&C server.

213.232.255[.]131

N/A

SEMIBAND LLC

2021-12-19

Spacecolon C&C server.

Paths where Spacecolon is usually installed

·      %USERPROFILE%Music

·      %ALLUSERSPROFILE%

Names of custom accounts set up by CosmicBeetle

·      support

·      IIS

·      IWAM_USR

·      BK$

Mutexes created by Scarab ransomware

·      {46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}

·      {7F57FB1B-3D23-F225-D2E8-FD6FCF7731DC}

MITRE ATT&CK techniques

Tactic

ID

Name

Description

Reconnaissance

T1595.002

Active Scanning: Vulnerability Scanning

CosmicBeetle looked for vulnerable servers as potential targets.

Resource Development

T1583.001

Acquire Infrastructure: Domains

CosmicBeetle used various hosting providers to register domains.

T1587.001

Develop Capabilities: Malware

CosmicBeetle developed its own malware.

T1587.003

Develop Capabilities: Digital Certificates

ScService and ScInstaller use a custom SSL certificate in TLS communications.

Initial Access

T1190

Exploit Public-Facing Application

CosmicBeetle exploited ZeroLogon, and probably other vulnerabilities, to compromise systems.

Execution

T1059.003

Command and Scripting Interpreter: Windows Command Shell

CosmicBeetle executed many commands using cmd.exe. Many of the additionally downloaded tools are BAT scripts.

T1059.001

Command and Scripting Interpreter: PowerShell

ScHackTool uses PowerShell to perform various tasks.

T1059.005

Command and Scripting Interpreter: Visual Basic

Many of the additionally downloaded tools are VBScripts.

T1053.005

Scheduled Task/Job: Scheduled Task

ScService utilizes scheduled tasks to execute payloads.

Persistence

T1133

External Remote Services

CosmicBeetle attempted to brute force credentials that were then used to enter.

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

ScHackTool and the Scarab ransomware utilize the Run or RunOnce key for persistence.

T1136.001

Create Account: Local Account

CosmicBeetle often created its own administrator account.

T1543.003

Create or Modify System Process: Windows Service

ScService is implemented as a Windows service.

Defense Evasion

T1078.003

Valid Accounts: Local Accounts

CosmicBeetle may deploy a large variety of tools to crack or brute force credentials for local accounts.

T1140

Deobfuscate/Decode Files or Information

Spacecolon components employ several kinds of data obfuscation.

T1070.001

Indicator Removal: Clear Windows Event Logs

CosmicBeetle may deploy a large variety of tools to clear Windows Event Logs.

T1036.005

Masquerading: Match Legitimate Name or Location

Scarab ransomware attempts to hide by naming its processes as legitimate Windows process names.

T1218.005

System Binary Proxy Execution: Mshta

Scarab ransomware utilizes mshta.exe to perform various tasks.

Credential Access

T1110.001

Brute Force: Password Guessing

CosmicBeetle may deploy a large variety of tools designed to brute force passwords.

T1110.003

Brute Force: Password Spraying

CosmicBeetle may deploy a large variety of tools designed to test a large number of passwords.

T1003.001

OS Credential Dumping: LSASS Memory

CosmicBeetle may deploy tools capable of dumping lsass.exe.

Discovery

T1082

System Information Discovery

ScService queries system information to fingerprint the victim.

T1016

System Network Configuration Discovery

ScService retrieves the local network configuration and MAC address.

T1124

System Time Discovery

ScService retrieves the system time.

Collection

T1560.002

Archive Collected Data: Archive via Library

ScHackTool uses the standard ZIP library to archive files before extracting them to the C&C server.

T1115

Clipboard Data

Scarab ransomware deploys a ClipBanker that monitors the clipboard for cryptocurrency wallets, and changes them.

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

Spacecolon components communicate via HTTPS.

T1132.001

Data Encoding: Standard Encoding

ScService uses AES encryption.

T1095

Non-Application Layer Protocol

Older ScService builds communicate via a custom TCP/IP protocol.

T1571

Non-Standard Port

New ScService builds run a local HTTP server on port 8347.

T1090.002

Proxy: External Proxy

ScService may be instructed to use an external proxy.

Exfiltration

T1041

Exfiltration Over C2 Channel

ScHackTool exfiltrates data to the C&C server.

Impact

T1485

Data Destruction

CosmicBeetle may deploy a number of tools to destroy data on disks.

T1486

Data Encrypted for Impact

CosmicBeetle may deploy Scarab ransomware to encrypt sensitive data.

T1561

Disk Wipe

CosmicBeetle may deploy a number of tools to wipe disks.

T1529

System Shutdown/Reboot

ScHackTool is capable of rebooting the system.

Appendix A – Third-party tools used by the attacker

The tools in the following table are ordered by name. The “Tool name” column corresponds to the name assigned to the tool archive by the threat actor and the “Archive path” column lists the relative path of the tool’s archive on the C&C server. The tools at the very end whose “Tool name” is set to “N/A” refer to tools that are present on the C&C server, but not used by CosmicBeetle in any configuration known to us. Finally, some tools seem to no longer be present on the C&C server, though a button to request them still exists in the ScHackTool – this is reflected by the “Comment” column being set to “N/A”.

Tool name

Archive path

Comment

7z

/tools/other/7z.zip

7zip, a popular archiving utility.

AccountRestore

/tools/priv/Accountrestore.zip

A tool used to enumerate users and brute force their password. Mentioned here.

Advrun

/tools/priv/advancedrun-x64.zip

AdvancedRun, a utility to execute files by NirSoft.

Afterwork

/tools/_AfterWork.zip

Contains:

·      CCleaner, the popular performance optimization tool, and

·      ClearLock, a screen-locking utility.

AGENT

/tools/agent.zip

Contains:

·      ScInstaller, and

·      installer for remote access tool IntelliAdmin.

APS

/tools/APS.zip

Advanced Port Scanner, a port scanning utility.

AutoMimikatz

/tools/priv/mimiauto.zip

N/A

Autoruns

/tools/AutorunsPortable.zip

Autoruns Portable, a popular auto-start location monitor.

Avfucker

/tools/avfucker.zip

Set of small scripts to:

·      delete Shadow Copies, and

·      disable Windows Defender.

BAT

/tools/BAT.zip

Contains:

·      a collection of scripts to:

°      delete Shadow Copies,

°      modify boot settings,

°      delete Windows Logs, and

°      terminate several processes and services (refer to Appendix B – List of terminated processes and services).

·      Defender Control, a tool to disable Windows Defender.

Bruter 1.1

/tools/priv/Bruter_1.1.zip

Bruter, a network login brute forcer.

CAIN

/tools/priv/ca_setup.zip

N/A

Card Recon

/tools/pass/cardrecon.zip

Card Recon, a tool for identifying payment card data.

Chrome

/tools/GoogleChromePortable.zip

Google Chrome web browser.

Dbbrowser

/tools/pass/dbbrowser.zip

N/A

Dcrypt

/tools/dcrypt_setup_1.2_beta_3_signed.zip

DiskCryptor, a tool to encrypt disks.

Defender

/tools/def.zip

StopDefender, a tool to disable Windows Defender.

Disk Tools

/tools/disktools.zip

Disk tools toolkit, a collection of tools to manipulate disks (including wiping).

EPDR

/tools/pass/epdr.zip

N/A

Eraser

/tools/EraserPortable.zip

Eraser Classic Portable, a secure file-deletion and data-wiping utility.

Fiddler Sniffer

/tools/sniffer/FiddlerSetup.zip

Fiddler, a popular network debugging tool.

Filezilla Portable

/tools/FileZillaPortable.zip

FileZilla Client Portable, a popular FTP client.

Interceptor

/tools/sniffer/Intercepter-NG.v1.0+.zip

Interceptor-NG, a multifunctional network analysis tool.

IOBitUnlocker

/tools/IObitUnlockerPortable.zip

IOBitUnlocker, a tool to unlock access to files blocked by a certain application.

LastActivityViewer

/tools/LastActivityView.zip

LastActivityView, a tool by NirSoft to view recent activity.

LowLevel

/tools/HDDLLF.4.40.zip

HDD LLF Low Level Format Tool, a utility for low-level hard disk drive formatting.

Metasploit

/tools/exploit/metasploitframework-latest.zip

Metasploit, a penetration testing framework.

Mimikatz

/tools/priv/mimikatz_trunk.zip

The well-known password extraction tool.

MREMOTE

/tools/other/mRemoteNG-Portable-1.76.20.24669.zip

mRemoteNG, a multi-protocol remote connections manager.

Netscan

/tools/netscan.zip

NetworkScanner by SoftPerfect, an IPv4/IPv6 scanner.

NGROK

/tools/r/ngrok.zip

N/A

NirsoftPass

/tools/pass/passrecenc.zip

Windows Password Recovery Tools, a collection of password retrieval tools by NirSoft.

NL

/tools/priv/nl.zip

NLBrute, an RDP brute-forcing tool.

Nmap

/tools/nmap-7.92-setup.zip

Nmap, a utility for network discovery and security auditing.

NPRW

/tools/pass/nprw.zip

N/A

Portable

/tools/Portable.zip

PortableApps.com, a bundle of various portable applications.

Pstools

/tools/priv/PSTools.zip

PsTools, a collection of command line tools for Windows by Sysinternals.

Pview

/tools/pwd_view.zip

Password Viewer, a utility to unmask passwords hidden in PasswordBox fields.

PWRPISO

/tools/pass/PRWP.zip

Reset Windows Password, a password recovery tool.

Radmin Bruter

/tools/priv/radminbrute.zip

N/A

RDP Recognizer

/tools/pass/rdprecognizer.zip

N/A

SMM

/tools/SSMS-Setup-ENU.zip

SQL Server Management Studio by Microsoft.

Spacemonger

/tools/SpaceMonger.zip

SpaceMonger, a tool for keeping track of free space on disks.

Sqlmanager Mini

/tools/pass/sqlmanager.zip

N/A

SuperScan

/tools/superscan.zip

Superscan, a port scanner by Foundstone.

USBView

/tools/usbdeview-x64.zip

USBDeview, a USB device viewer by NirSoft.

VCJRENET

/tools/other/VCJRE.zip

Contains:

·      JRE for Java 8.0.3110.11,

·      Microsoft .NET Framework 4.8.04115.00,

·      Microsoft Visual C++ 2015-2022 Redistributable (x64) – 14.30.30704,

·      Microsoft Visual C++ 2015-2022 Redistributable (x86) – 14.30.30704,

·      Microsoft Visual C++ 2012 Redistributable (x64) – 11.0.61030,

·      Microsoft Visual C++ 2013 Redistributable (x64) – 12.0.40664,

·      Microsoft Visual C++ 2013 Redistributable (x86) – 12.0.40664,

·      Microsoft Visual C++ 2013 Redistributable (x64) – 12.0.30501, and

·      Microsoft Visual C++ 2013 Redistributable (x86) – 12.0.30501.

Veracrypt

/tools/VeraCryptPortable.zip

VeraCrypt Portable disk encryption software.

Vmware VRC

/tools/vmrc.zip

N/A

Winlogon

/tools/winlogonview.zip

WinLogOnView by NirSoft.

Winrar

/tools/winrar.zip

WinRAR, a popular archiver tool.

WORDLIST

/tools/wl.zip

N/A

WPR

/tools/pass/wpr_setup.zip

Passcape Windows Password Recovery, a tool to retrieve passwords from user accounts.

N/A

/tools/FastCopyPortable.zip

FastCopy Portable, a utility for fast copying and deletion.

N/A

/tools/IObitUninstallerPortable.zip

IObitUninstaller Portable, a utility for uninstalling applications.

N/A

/tools/clearev.zip

Contains:

·      a collection of scripts to:

°      delete Windows Event Logs, and

°      delete Shadow Backups.

·      ScreenLock (also contained in the Afterwork archive).

N/A

tools/other/dbeaver-portable-win64-21.0.5-43-setup.exe

DBeaver, a database management tool.

Appendix B – List of terminated processes and services

AcronisAgent
AcrSch2Svc
Apache2
avpsus
BackupExecAgentAccelerator
BackupExecAgentBrowser
BackupExecDiveciMediaService
BackupExecJobEngine
BackupExecManagementService
BackupExecRPCService
BackupExecVSSProvider
bes10*
black*
BMR Boot Service
CAARCUpdateSvc
CASAD2DWebSvc
ccEvtMgr
ccSetMgr
DefWatch
fbgu*
fdlauncher*
firebird*
firebirdguardiandefaultinstance
IBM Domino Diagnostics (CProgramFilesIBMDomino)
IBM Domino Server (CProgramFilesIBMDominodata)
IBM*
ibmiasrw
IISADMIN
Intuit.QuickBooks.FCS
McAfeeDLPAgentService
mfewc
mr2kserv
MsDtsServer110
MsDtsSrvr*
MSExchangeADTopology
MSExchangeFBA
MSExchangeIS
MSExchangeSA
msmdsrv*
MSSQL$ISARS
MSSQL$MSFW
MSSQLFDLauncher
MSSQLServerADHelper100
MSSQLServerOLAPService
MySQL
mysql*
mysqld.exe
NetBackup BMR MTFTP Service
orac*
PDVFSService
postg*
QBCFMonitorService
QBFCService
QBIDPService
QBPOSDBServiceV12
QBVSS
QuickBooksDB1
QuickBooksDB10
QuickBooksDB11
QuickBooksDB12
QuickBooksDB13
QuickBooksDB14
QuickBooksDB15
QuickBooksDB16
QuickBooksDB17
QuickBooksDB18
QuickBooksDB19
QuickBooksDB2
QuickBooksDB20
QuickBooksDB21
QuickBooksDB22
QuickBooksDB23
QuickBooksDB24
QuickBooksDB25
QuickBooksDB3
QuickBooksDB4
QuickBooksDB5
QuickBooksDB6
QuickBooksDB7
QuickBooksDB8
QuickBooksDB9
ReportingServicesService*
ReportServer
ReportServer$ISARS
RTVscan
sage*
SavRoam
ShadowProtectSvc
Simply Accounting Database Connection Manager
sophos
SPAdminV4
SPSearch4
SPTimerV4
SPTraceV4
SPUserCodeV4
SPWriterV4
sql
SQL Backup Master
SQL Server (MSSQLServer)
SQL Server Agent (MSSQLServer)
SQL Server Analysis Services (MSSQLServer)
SQL Server Browser
SQL Server FullText Search (MSSQLServer)
SQL Server Integration Services
SQL Server Reporting Services (MSSQLServer)
sql*
SQLAgent$ISARS
SQLAgent$MSFW
SQLAGENT90.EXE
SQLBrowser
sqlbrowser.exe
sqlservr.exe
SQLWriter
sqlwriter.exe
stc_raw_agent
store.exe
vee*
veeam
VeeamDeploymentService
VeeamNFSSvc
VeeamTransportSvc
VSNAPVSS
WinDefend
YooBackup
YooIT
Zhudongfangyu

Appendix C – Processes killed by Kill All (Default) button

Names of processes that used to be terminated by the Kill All (Default) button:

app.exe
ApplicationFrameHost.exe
blnsvr.exe
cmd.exe
conhost.exe
csrss.exe
dllhost.exe
dwm.exe
explorer.exe
LogonUI.exe
lsass.exe
msdtc.exe
openvpn-gui.exe
Project1.exe
rdpclip.exe
RuntimeBroker.exe
SearchUI.exe
services.exe
ShellExperienceHost.exe
sihost.exe
smss.exe
spoolsv.exe
svchost.exe
taskhost.exe
taskhostex.exe
taskhostw.exe
tasklist.exe
Taskmgr.exe
vmcompute.exe
vmms.exe
w3wp.exe
wininit.exe
winlogon.exe
wlms.exe
WmiPrvSE.exe

Source: https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/