Space Pirates: hack, steal, repeat!
At the end of 2019, the team at the Positive Technologies Expert Security Center (PT ESC) discovered a new cybercrime group, which they dubbed Space Pirates. It had been active since at least 2017. The first-ever comprehensive research paper describing the group saw light in early 2022. The Space Pirates group have since stepped up attacks on Russian companies: we have come across the group frequently while investigating cyberattacks in the past year. They have hardly changed their tactics, but they have developed new tools and improved their old ones.
The cybercriminals’ main goals are still espionage and theft of confidential information, but the group has expanded its interests and the geography of its attacks. Over the year, at least 16 organizations have been attacked in Russia and one in Serbia. Some of the new victims that we identified are Russian and Serbian government and educational institutions, private security companies, aerospace manufacturers, agricultural producers, defense, energy, and infosec companies.
Virtually every investigation we conducted found that the group was using Deed RAT. As far as we can tell, the Space Pirates group is moving away from other backdoors. According to code similarities between Deed RAT and ShadowPad, we suggest that the backdoor is an evolution of ShadowPad. ShadowPad is in turn believed to be an evolution of PlugX. Unlike ShadowPad and PlugX, though, Deed RAT has been known to be exclusive to the Space Pirates group to date. The backdoor is still under active development. We found a 64-bit version of Deed RAT on an infected device while investigating the incident. The structure of the main module and plugin headers is all but identical to the 32-bit version.
During an investigation, we obtained a sample of unknown, functionally different malware. Our timeline of the sample appearing on the infected computer suggested that the malware is delivered via Deed RAT already installed on the machine and belongs to the Space Pirates group. We were later shown to be right. We named the malware Voidoor, after the C&C server and the backdoor malware type. Voidoor used legitimate resources Github and Voidtools.com as C&C server. While we investigated logs from Github and voidtools we found more than 3,500 login events associated with 73 unique IP addresses, and we were able to attribute voidoor to the Space Pirates group after discovering a series of logins from Space Pirates IP addresses that occurred within days of registering the account.
Mr. Denis Kuvshinov
Head of Threat Intelligence department, Positive Technologies Expert Security Center
Graduated from the Bauman Moscow State Technical University in 2017 with a degree in Digital and Technical Intelligence Prevention.
Previously worked for Informzashchita. Joined Positive Technologies in 2017. Started out as Information Security Monitoring Specialist, is currently Head of Threat Analysis, Positive Technologies Expert Security Center. In charge of searching for new APT groups (participated in discovering TaskMasters, SongXY, Calypso, Chamelgang, and Space Pirates) and tracking activities of known groups. Responsible for malware analysis and supplying expertise in the form of data on indicators of compromise for Positive Technologies products. Regular speaker at industry-specific conferences: spoke at PHDays and Standoff 10 in 2022.
Mr. Stanislav Rakovsky
Senior analyst of Threat Intelligence department, Positive Technologies Expert Security Center
Stanislav Rakovsky is a seasoned malware researcher at Positive Technologies with a specialized focus on tracking APTs and investigating open-source malicious activities. Stanislav has master’s degree in Information Security & Information Security Management, MPEI. Regular speaker at industry-specific conferences: The STANDOFF, PHDays, OFFZONE, Moscow Python Conf, IT Picknick