In recent months, the threat actor known as Space Pirates has emerged as a formidable cyber adversary, actively targeting companies and organizations in Russia and Serbia. With a history of large-scale activities, this group has evolved its tactics, employing novel techniques and developing new cyberweapons to achieve its objectives. This article provides an in-depth analysis of the Space Pirates’ cyber campaign, as revealed by researchers from Positive Technologies in their comprehensive report published on July 24, 2023, along with subsequent developments and the ongoing efforts to counter this cyber menace.

Space Pirates’ Expanding Targets:
The report by Positive Technologies Expert Security Center (PT ESC) exposes the scope and scale of Space Pirates’ attacks over the past year. Initially known for espionage and the theft of confidential information, the group has widened its interests, targeting government agencies, educational institutions, security firms, aviation and aerospace companies, agricultural producers, military entities, fuel and energy companies, as well as information security companies across Russia and Serbia.

Continued Evolution of Tactics and Tools:
Despite its expanding targets, the core objectives of Space Pirates remain espionage and data theft. The group has been relentless in its efforts to develop new tools and improve existing ones. Researchers have identified the presence of an Acunetix scanner on one of the Space Pirates’ Command-and-Control (C2) servers, suggesting a likely attack vector via vulnerability exploitation.

The Unconventional Techniques of Voidoor and Deed RAT:
One of the most concerning developments in Space Pirates’ arsenal is the use of a previously undocumented malware called Voidoor. This malware contacts a legitimate forum called Voidtools and a GitHub repository associated with a user named “hasdhuahd” for command-and-control (C2). By exploiting hard-coded credentials, Voidoor gains access to the user’s personal messaging system to search for a folder corresponding to a specific victim ID.

Additionally, Space Pirates has adopted the use of Deed RAT, a successor to ShadowPad and PlugX, commonly employed by Chinese cyber espionage groups. Deed RAT comes in both 32- and 64-bit versions and can dynamically retrieve additional plug-ins from a remote server, granting the hackers extended control over compromised systems.

Potential Chinese Connection:
While the origins of the threat actor remain elusive, various indicators suggest that the developer of the tools used by Space Pirates may have Chinese roots. The group’s techniques are reminiscent of those employed by Chinese groups like APT41, including hosting servers on Choopa and using specific files for dll-hijacking.

Positive Technologies’ Response and Recommendations:
Positive Technologies’ ongoing monitoring and response to cyber threats have been vital in unearthing the Space Pirates’ activities. The research highlights the need for proactive measures to defend against these sophisticated attacks. The company recommends the use of traffic analyzers and sandboxes to identify complex malware and offers products like PT Network Attack Discovery (PT NAD) and PT Sandbox to detect malicious activities, prevent attacks, and identify infected hosts in the network.

Space Pirates continues to be a significant cyber threat, with an ever-evolving arsenal of tools and techniques targeting organizations in Russia and Serbia. The vigilance of cybersecurity experts and the implementation of proactive measures are crucial to safeguarding against these sophisticated attacks. As the cybersecurity landscape evolves, continued research and collaboration remain essential to combating threats posed by groups like Space Pirates.

– Authored by contributor Anthony J. Daw