Spacecolon

Spacecolon is a malicious software (malware) developed by CosmicBeetle, with origins traced back to May 2020. The latest build of Spacecolon was compiled in May 2023, indicating that it continues to evolve and pose a threat. The malware consists of three main components, namely ScHackTool, ScInstaller, and ScService, all written in the Delphi software language. It also relies heavily on a variety of third-party tools, both legitimate and malicious, which are made available on demand. Notably, several builds of Spacecolon contain Turkish strings, suggesting the involvement of a Turkish-speaking developer. In August 2023, ESET security researcher Jakub Souek released a detailed technical report highlighting the use of the Spacecolon toolkit in a cyber campaign targeting global organizations, particularly anti-torture groups. This campaign employs the toolkit to spread various variants of the Scarab ransomware. However, not every user of Spacecolon utilizes its downloader and installer to deploy the backdoor. Based on similar Turkish strings in the code, usage of the IPWorks library, and overall GUI similarity, ESET suggests that the developers of SpaceColon and the new ransomware are likely the same entity. The cybersecurity firm ESET has identified that SpaceColon targets web servers and publicly exposed Remote Desktop Protocol (RDP) systems. John A. Smith, CEO at Conversant Group, stated that these methods of attack would not be possible if the targeted systems were not directly exposed to the internet. Furthermore, researchers believe that the majority of victims have devices running FortiOS in their environment, as components of SpaceColon reference the string "Forti" in their code. Despite the Turkish strings in SpaceColon's code, a Turkish-speaking developer does not necessarily imply a Turkish origin for the attacks.