China-linked Space Pirates APT targets Russian aerospace industrySecurity Affairs

A new China-linked cyberespionage group known as ‘Space Pirates’ is targeting enterprises in the Russian aerospace industry.

A previously unknown Chinese cyberespionage group, tracked as ‘Space Pirates’, targets enterprises in the Russian aerospace industry with spear-phishing attacks.

The group has been active since at least 2017, researchers believe it is linked with other China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27.

The Space Pirates APT group focuses was spotted targeting government agencies and enterprises involved in aerospace, IT services, and electric power industries located in Russia, Georgia, and Mongolia.

The name Space Pirates comes from the string P1Rat used in PDB paths, and the focus of some attacks on the aerospace industry.

“We assume that Space Pirates has Asian roots: this is indicated by the active use of Chinese in resources, SFX archives, and PDB paths. In addition, the group’s arsenal includes the Royal Road RTF (or 8.t) builder, which is common among Asian hackers, and the PcShare backdoor, and almost all intersections with already known activity are associated with APT groups in the Asian region. ” reads the analysis published by the experts.

The attacks were first discovered by researchers at Positive Technologies in 2019, the phishing messages contained a link to previously undetected malware. The experts discovered that the same malware was used in 2020 attacks aimed at Russian government organizations, and in the summer of 2021 against other enterprise.

Further investigation revealed that at least two more organizations in Russia with state participation were compromised by the Space Pirates group.

In the first case, the attackers gained access to 20 servers for ten months and stole over 1,500 internal documents containing sensitive data.

In the second case, the APT group maintained access to the target network for over a year, during this time, it installed malware to 12 corporate network nodes in three distinct regions.

The Space Pirates’ arsenal includes a broad range of malware, including unique loaders and several previously undetected backdoors tracked as MyKLoadClient, BH_A006, Deed RAT. The arsenal also includes the Zupdax backdoor along with well-known malware such as PlugX RAT, ShadowPad backdoor, Poison Ivy RAT, a modified version of PcShare, and the public ReVBShell shell. The APT group also leverages the dog-tunnel utility to tunnel traffic.

The experts highlighted that the exchange of tools between APT groups is a common behaviors in the Asian region.

“APT groups with Asian roots continue to attack Russian companies, which is confirmed by the activity of the Space Pirates group. Attackers both develop new malware that implements non-standard techniques (such as Deed RAT) and use modifications of existing backdoors. Sometimes such modifications can have many layers of obfuscation added to counteract protections and complicate the analysis procedure – as in the case of BH_A006, built on the code of the popular Gh0st backdoor. ” concludes the report. “A separate difficulty in the case of APT groups in the Asian region is the exact attribution of the observed activity: the frequent exchange of tools used, as well as the joint activity of various groups in some cases, significantly complicate this task.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit:
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs hacking, Space Pirates)




Source

A new China-linked cyberespionage group known as ‘Space Pirates’ is targeting enterprises in the Russian aerospace industry.

A previously unknown Chinese cyberespionage group, tracked as ‘Space Pirates’, targets enterprises in the Russian aerospace industry with spear-phishing attacks.

The group has been active since at least 2017, researchers believe it is linked with other China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27.

The Space Pirates APT group focuses was spotted targeting government agencies and enterprises involved in aerospace, IT services, and electric power industries located in Russia, Georgia, and Mongolia.

The name Space Pirates comes from the string P1Rat used in PDB paths, and the focus of some attacks on the aerospace industry.

“We assume that Space Pirates has Asian roots: this is indicated by the active use of Chinese in resources, SFX archives, and PDB paths. In addition, the group’s arsenal includes the Royal Road RTF (or 8.t) builder, which is common among Asian hackers, and the PcShare backdoor, and almost all intersections with already known activity are associated with APT groups in the Asian region. ” reads the analysis published by the experts.

The attacks were first discovered by researchers at Positive Technologies in 2019, the phishing messages contained a link to previously undetected malware. The experts discovered that the same malware was used in 2020 attacks aimed at Russian government organizations, and in the summer of 2021 against other enterprise.

Further investigation revealed that at least two more organizations in Russia with state participation were compromised by the Space Pirates group.

In the first case, the attackers gained access to 20 servers for ten months and stole over 1,500 internal documents containing sensitive data.

In the second case, the APT group maintained access to the target network for over a year, during this time, it installed malware to 12 corporate network nodes in three distinct regions.

The Space Pirates’ arsenal includes a broad range of malware, including unique loaders and several previously undetected backdoors tracked as MyKLoadClient, BH_A006, Deed RAT. The arsenal also includes the Zupdax backdoor along with well-known malware such as PlugX RAT, ShadowPad backdoor, Poison Ivy RAT, a modified version of PcShare, and the public ReVBShell shell. The APT group also leverages the dog-tunnel utility to tunnel traffic.

The experts highlighted that the exchange of tools between APT groups is a common behaviors in the Asian region.

“APT groups with Asian roots continue to attack Russian companies, which is confirmed by the activity of the Space Pirates group. Attackers both develop new malware that implements non-standard techniques (such as Deed RAT) and use modifications of existing backdoors. Sometimes such modifications can have many layers of obfuscation added to counteract protections and complicate the analysis procedure – as in the case of BH_A006, built on the code of the popular Gh0st backdoor. ” concludes the report. “A separate difficulty in the case of APT groups in the Asian region is the exact attribution of the observed activity: the frequent exchange of tools used, as well as the joint activity of various groups in some cases, significantly complicate this task.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit:
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs hacking, Space Pirates)




Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Threat Intelligence Services Are Universally Valued by IT Staff

Almost all IT professionals believe that threat intelligence services and feeds will help their company get ready for and repulse malware attacks. Only...

Black Basta may be an all-star ransomware gang made up of former Conti and REvil members

The group has targeted 50 businesses from English speaking countries since April 2022. ...

APAC companies are failing to build successful digital models: Forrester

Approximately 61% of APAC organizations have failed to build robust and successful digital business business models, primarily due to unsound practices of enterprise architecture...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!