The threat actor, known as Space Pirates, is linked to a malicious campaign targeting Russian information technology (IT) organizations with previously undocumented malware called Luckystrike agents.
The activity was detected in November 2024 by Solar, the cybersecurity unit of Russian state-owned telecommunications company Rostelecom. I’m tracking my activities under the name Erudite Mogwai.
The attack is also characterized by the use of other tools such as Deed Rat, also known as Shadowpad Light, and the use of a customized version of a proxy utility named Stowaway that was previously used by other China-related hacking groups.
“Erudite Mogwai is one of the active APT groups specializing in confidential information and theft of spies,” the solar researcher said. “Since at least 2017, the group has attacked government agencies, IT departments of various organizations, and companies related to high-tech industries such as aerospace and electricity.”
Threat Actor was first published in 2022 by Positive Technology, detailing the exclusive use of Deed Rat Malware. This group is thought to share a tactical overlap with another hacking group called WebWorm. It is known to target organizations in Russia, Georgia and Mongolian.
In one of the attacks targeting customers in the government sector, Solar said that attackers have been discovered deploying various tools to promote reconnaissance, and at the same time dropping a multi-function .NET backdoor (C2) using Microsoft OneDrive for command and control.
“Attackers have access to infrastructure by March 2023 by compromising publicly accessible web services, starting to look for “low hanging fruit” in the infrastructure,” Solar said. “In 19 months, the attackers slowly spread across the customer’s systems until they reached a network segment connected to surveillance in November 2024.”
Also noteworthy is that it incorporates XXTEA as a encryption algorithm and uses LZ4 as a compression algorithm that adds support for the QUIC transport protocol, as well as using the modified version of Stowaway to preserve only the proxy functionality.
“Erudite Mogwai has begun a journey to modify this utility by reducing the functionality that is not needed,” Solar said. “They continued to do minor edits, such as renaming features and resizing structures (probably to knock down existing detection signatures). At this point, the version of Stowaway used in this group is called a full-fledged fork.”
Source link
