The threat player known as ‘Space Pirates’ has been linked to a malicious campaign targeting Russian IT organisations with a previously undocumented malware called LuckyStrike Agent.
The activity was detected in Nov. 2024 by Solar, the cybersecurity arm of Russian state-owned telecom company Rostelecom. It is tracking the activity under the name ‘Erudite Mogwai.’
Deed RAT
The attacks are also characterised by the use of other tools like Deed RAT, also called ShadowPad Light, & a customised version of proxy utility named Stowaway, which has been previously used by other China-linked hacking groups.
“Erudite Mogwai is one of the active APT groups specialising in the theft of confidential information & espionage,” Solar researchers said. “Since at least 2017, the group has been attacking government agencies, IT departments of various organisations, as well as enterprises related to high-tech industries such as aerospace & electric power.”
Webworm
The threat player was 1st publicly documented by Positive Technologies in 2022, detailing its exclusive use of the Deed RAT malware. The group is believed to share tactical overlaps with another hacking group called Webworm. It is known to target organisations in Russia, Georgia, & Mongolia.
In one of the attacks targeting a government sector customer, Solar observed that it discovered the attacker deploying various tools to facilitate reconnaissance, while also dropping LuckyStrike Agent, a multi-functional .NET backdoor that uses Microsoft OneDrive for command-&-control (C2).
Monitoring
“The attackers gained access to the infrastructure by compromising a publicly accessible web service no later than March 2023, & then began looking for ‘low-hanging fruit’ in the infrastructure,” Solar explained.
“Over the course of 19 months, the attackers slowly spread across the customer’s systems until they reached the network segments connected to monitoring in Nov. 2024.”
To note is the use of a modified version of Stowaway to retain only its proxy functionality, alongside using LZ4 as a compression algorithm, incorporating XXTEA as an encryption algorithm, & adding support for the QUIC transport protocol.
Minor Edits
“Erudite Mogwai began their journey in modifying this utility by cutting down the functionality they didn’t need,” Solar commented.
“They continued with minor edits, such as renaming functions & changing the sizes of structures (probably to knock down existing detection signatures). At the moment, the version of Stowaway used by this group can be called a full-fledged fork.”
