Space Pirates Targets Russian IT Firms With New LuckyStrike Agent Malware

Avatar
The threat actor known as Space Pirates has been linked to a malicious campaign targeting Russian information technology (IT) organizations with a previously undocumented malware called LuckyStrike Agent. The activity was detected in November 2024 by Solar, the cybersecurity arm of Russian state-owned telecom company Rostelecom. It’s tracking the activity under the name Erudite Mogwai. The

The threat actor known as Space Pirates has been linked to a malicious campaign targeting Russian information technology (IT) organizations with a previously undocumented malware called LuckyStrike Agent.

The activity was detected in November 2024 by Solar, the cybersecurity arm of Russian state-owned telecom company Rostelecom. It’s tracking the activity under the name Erudite Mogwai.

The attacks are also characterized by the use of other tools like Deed RAT, also called ShadowPad Light, and a customized version of proxy utility named Stowaway, which has been previously used by other China-linked hacking groups.

“Erudite Mogwai is one of the active APT groups specializing in the theft of confidential information and espionage,” Solar researchers said. “Since at least 2017, the group has been attacking government agencies, IT departments of various organizations, as well as enterprises related to high-tech industries such as aerospace and electric power.”

The threat actor was first publicly documented by Positive Technologies in 2022, detailing its exclusive use of the Deed RAT malware. The group is believed to share tactical overlaps with another hacking group called Webworm. It’s known to target organizations in Russia, Georgia, and Mongolia.

In one of the attacks targeting a government sector customer, Solar said it discovered the attacker deploying various tools to facilitate reconnaissance, while also dropping LuckyStrike Agent, a multi-functional .NET backdoor that uses Microsoft OneDrive for command-and-control (C2).

“The attackers gained access to the infrastructure by compromising a publicly accessible web service no later than March 2023, and then began looking for ‘low-hanging fruit’ in the infrastructure,” Solar said. “Over the course of 19 months, the attackers slowly spread across the customer’s systems until they reached the network segments connected to monitoring in November 2024.”

Also noteworthy is the use of a modified version of Stowaway to retain only its proxy functionality, alongside using LZ4 as a compression algorithm, incorporating XXTEA as an encryption algorithm, and adding support for the QUIC transport protocol.

“Erudite Mogwai began their journey in modifying this utility by cutting down the functionality they didn’t need,” Solar said. “They continued with minor edits, such as renaming functions and changing the sizes of structures (probably to knock down existing detection signatures). At the moment, the version of Stowaway used by this group can be called a full-fledged fork.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

89% of Enterprise GenAI Usage Is Invisible to Organizations Exposing Critical Security Risks, New Report Reveals

Next Post

Silver Fox APT Uses Winos 4.0 Malware in Cyber Attacks Against Taiwanese Organizations

Related Posts

BeyondTrust Zero-Day Breach Exposed 17 SaaS Customers via Compromised API Key

BeyondTrust has revealed it completed an investigation into a recent cybersecurity incident that targeted some of the company's Remote Support SaaS instances by making use of a compromised API key. The company said the breach involved 17 Remote Support SaaS customers and that the API key was used to enable unauthorized access by resetting local application passwords. The breach was first flagged
Avatar
Read More

Over 1,500 PostgreSQL Servers Compromised in Fileless Cryptocurrency Mining Campaign

Exposed PostgreSQL instances are the target of an ongoing campaign designed to gain unauthorized access and deploy cryptocurrency miners. Cloud security firm Wiz said the activity is a variant of an intrusion set that was first flagged by Aqua Security in August 2024 that involved the use of a malware strain dubbed PG_MEM. The campaign has been attributed to a threat actor Wiz tracks as
Avatar
Read More