CosmicBeetle, a threat actor identified and tracked by ESET since 2020, is a cybercrime group that has been increasingly active in the global cybersecurity landscape. Its operations primarily target small and midsize businesses (SMBs) across various sectors including manufacturing, pharmaceuticals, legal, education, and healthcare industries. The group opportunistically exploits older vulnerabilities in software typically used by these businesses, such as issues in Veeam Backup & Replication and Microsoft Active Directory, which allow unauthenticated attackers to gain access or escalate privileges within the targeted infrastructure. While Turkey accounts for most of the victimized organizations, significant numbers also originate from Spain, India, South Africa, and other countries.
In a bid to enhance its reputation, CosmicBeetle has started impersonating the infamous LockBit ransomware gang. This strategy is part of a broader shift in the group's tactics, which now include the use of ScRansom ransomware and an affiliation with the ransomware-as-a-service actor RansomHub. These changes suggest that CosmicBeetle is expanding its operations and seeking to establish itself as a formidable player in the cybercrime ecosystem. Furthermore, the group uses ScHackTool to download additional tools onto compromised systems and manipulate them at will, demonstrating a sophisticated approach to system exploitation.
Despite its growing sophistication, CosmicBeetle does not make significant efforts to conceal its malware, leaving many artifacts on compromised systems. The ransomware payload drops a clipper malware to monitor the system clipboard and modify cryptocurrency wallet addresses to those under the attacker's control, further indicating the group's financial motives. However, the rapid changes in the ScRansom ransomware and the group's focus on exploiting older, known vulnerabilities suggest that CosmicBeetle is still relatively immature in its operations. As such, it tends to target victims outside of the EU and US, especially SMBs, where patch management may be less robust.
Description last updated: 2024-10-17T12:20:28.493Z