Pulse Detail — Threat Intelligence

PULSE NAME

Scarabs colon-izing vulnerable servers

WHITE AlienVault 2023-08-23 Modified: 2023-09-22

IOCs

MEDIUM VOLUME

ESET researchers have identified the operators of Spacecolon, a toolset used to deploy variants of the Scarab ransomware, and its operators, in a blogpost published on 22 August 2023.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1003 T1016 T1036 T1041 T1053 T1059 T1070 T1071 T1078 T1082 T1090 T1095 T1110 T1115 T1124 T1132 T1133 T1136 T1140 T1190 T1218 T1485 T1486 T1529 T1543 T1547 T1560 T1561 T1571 T1583 T1587 T1595 T1566 T1106 T1573 T1027 T1562 T1127 T1553 T1105 T1490

MALWARE FAMILIES

Scarab SpaceColon CosmicBeetle

Indicators of Compromise (31)

All BitcoinAddress FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
BitcoinAddress	1HtkNb73kvUTz4KcHzztasbZVonWTYRfVx	—	2023-08-23
FileHash-MD5	bc4b9d0dd359b09918b6c1095823a75b	MD5 of 40b8af12ea6f89db6ed635037f468aadee7f4ca6	2023-08-23
FileHash-MD5	cd04b5fcdc9e18243fdd378c25be5057	MD5 of 8f1374d4d6cc2899da1251de0325a7095e719edc	2023-08-23
FileHash-MD5	d3cca15da7805acb813d4f1556e85f58	MD5 of 6700afb03934b01b0b2a9885799322307e3299d5	2023-08-23
FileHash-SHA1	0a2fa26d6eab6e9b74ad54d37c82dee83e80bdd7	—	2023-08-23
FileHash-SHA1	1cb9320c010065e18881f0aaa0b72fc7c5f85956	—	2023-08-23
FileHash-SHA1	2e4a85269ba1fdba74a49b0df3397d6e4397db78	—	2023-08-23
FileHash-SHA1	40b8af12ea6f89db6ed635037f468aadee7f4ca6	—	2023-08-23
FileHash-SHA1	4b07391434332e4f8faadf61f288e48389bcea08	—	2023-08-23
FileHash-SHA1	6700afb03934b01b0b2a9885799322307e3299d5	—	2023-08-23
FileHash-SHA1	7aa1a41f561993c4cca9361f9baef2b00e31c05d	—	2023-08-23
FileHash-SHA1	7bc7eeaaf635a45bc2056c468c4c42cc4c7b8f05	—	2023-08-23
FileHash-SHA1	8f1374d4d6cc2899da1251de0325a7095e719edc	—	2023-08-23
FileHash-SHA1	95931de0aa6d96568acebc11e551e8e1305bf003	—	2023-08-23
FileHash-SHA1	b916535362e2b691c6aef76021944b4a23dde190	—	2023-08-23
FileHash-SHA1	b9cf8b18a84655d0e8ef1bb14c60763cefff9686	—	2023-08-23
FileHash-SHA1	e2eaa1ee0b51caf803ceedd7d3452577b6fe7a8d	—	2023-08-23
FileHash-SHA1	ef911db066866fe2734038a35a3b298359edabce	—	2023-08-23
FileHash-SHA256	86070a98e77b5209370b71dce0160f05a3b18ab106fc9073529869053bfe41f1	SHA256 of 6700afb03934b01b0b2a9885799322307e3299d5	2023-08-23
FileHash-SHA256	de10011cb01de822d1ddbb069b04bc98a1ce081931f58c7e57bbd148b2356c78	SHA256 of 8f1374d4d6cc2899da1251de0325a7095e719edc	2023-08-23
FileHash-SHA256	f8890477e760cdb8f4a4fdbf8e8b5b1a224bc87046875b9ee17a9fcb93d2f118	SHA256 of 40b8af12ea6f89db6ed635037f468aadee7f4ca6	2023-08-23
domain	akamaicdnup.com	—	2023-08-23
domain	cdnupdate.net	—	2023-08-23
hostname	b.688.org	—	2023-08-23
hostname	ss.688.org	—	2023-08-23
hostname	sys.688.org	—	2023-08-23
hostname	u.cbu.net	—	2023-08-23
hostname	u.piii.net	—	2023-08-23
hostname	up.awiki.org	—	2023-08-23
hostname	update.cbu.net	—	2023-08-23
hostname	update.inet2.org	—	2023-08-23

References (1)

↗ https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/