The hacker group CosmicBeetle attacks organizations worldwide, especially European ones. The group uses the Spacecolon toolset to spread ransomware among its victims and extort ransoms.
The attackers exploit the zero-logon vulnerability in web servers for their attacks. Alternatively, hackers resort to classic brute force attacks on RDP credentials to break into organizations. Spacecolon has been active since at least May 2020 until today.
CosmicBeetle also operates globally
ESET specialists were able to track CosmicBeetle and its tools worldwide. Countries in the European Union, such as Spain, France, Belgium, Poland and Hungary, are particularly affected. Outside the EU, organizations in Mexico and Turkey are particularly targeted.
“How the hacker group selects its victims remains unclear. There are neither areas of focus nor similarities in the size of the targets: a hospital and resort in Thailand, an insurance company in Israel, a local government facility in Poland, an entertainment provider in Brazil, an environmental company in Turkey and a school in Mexico,” says ESET Researcher Jakub Souček, author of the analysis. Spacecolon's program code contains many Turkish character strings. ESET therefore assumes that the developers are of Turkish origin.
How does CosmicBeetle do it?
After hackers compromise a web server, they download and run additional tools on their victims' computers. In addition to ransomware, this also includes other third-party tools: These enable attackers to deactivate security products, extract critical information and gain expanded access via backdoors for particularly worthwhile targets.
In some cases, ransomware that uses ClipBanker is also used. This is a type of malware that monitors the contents of the clipboard. If it finds content that is a crypto wallet address, it inserts an address controlled by the attacker. The hacking group makes no significant effort to hide its malware. It leaves behind numerous artifacts on compromised systems.
New ransomware is in the works
CosmicBeetle is also preparing to distribute a new ransomware family called ScRansom. ESET Research assumes that Cosmic Beetle is behind the development. This ransomware attempts to encrypt all hard drives, removable storage devices and remote drives. However, she has not yet been observed in action. The specialists therefore suspect that it is still in the development phase.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.