Full Report
The threat actor known as Space Pirates has been linked to a malicious campaign targeting Russian information technology (IT) organizations with a previously undocumented malware called LuckyStrike Agent. The activity was detected in November 2024 by Solar, the cybersecurity arm of Russian state-owned telecom company Rostelecom. It's tracking the activity under the name Erudite Mogwai. The
Analysis Summary
# Threat Actor: Space Pirates (Tracked as Erudite Mogwai)
## Attribution & Identity
**Threat Actor Name:** Space Pirates
**Attribution tracking name (by Solar/Rostelecom):** Erudite Mogwai
**Known Aliases/Associations:** Believed to share tactical overlaps with the hacking group Webworm.
## Activity Summary
The threat actor known as Space Pirates (Erudite Mogwai) is an active Advanced Persistent Threat (APT) group specializing in the theft of confidential information and espionage.
**Historical Activities:** Active since at least 2017, attacking government agencies, IT departments, and high-tech enterprises (aerospace, electric power). They were first publicly documented by Positive Technologies in 2022.
**Recent Campaign (Detected Nov 2024):** Targeting Russian information technology (IT) organizations using a new, undocumented malware called **LuckyStrike Agent**. The activity observed by Solar began with initial access no later than March 2023 via a compromised publicly accessible web service, followed by a slow, 19-month internal lateral movement before being detected in November 2024.
## Tactics, Techniques & Procedures
**Initial Access:** Compromising publicly accessible web services.
**Persistence/Internal Movement:** Slow, deliberate spread across infrastructure over months.
**Malware Usage:**
- Deployment of **LuckyStrike Agent** (a multi-functional .NET backdoor).
- Use of **Deed RAT** (also known as ShadowPad Light).
- Use of a customized proxy utility called **Stowaway**.
**Stowaway Modifications:** The group uses a full-fledged fork of Stowaway, focusing only on proxy functionality. Modifications include:
- Renaming functions and changing structure sizes (likely for evasion).
- Incorporating LZ4 as a compression algorithm.
- Incorporating XXTEA as an encryption algorithm.
- Adding support for the QUIC transport protocol.
- **C2 Mechanism:** LuckyStrike Agent uses Microsoft OneDrive for command-and-control (C2).
## Targeting
- **Sectors:** Information Technology (IT), Government agencies, High-tech industries (Aerospace, Electric Power).
- **Geography:** Russia, Georgia, and Mongolia.
- **Victims:** Russian IT firms; one noted campaign targeted a government sector customer.
## Tools & Infrastructure
- **Malware Families Used:** LuckyStrike Agent, Deed RAT (ShadowPad Light).
- **Infrastructure:** Customized proxy utility (Stowaway fork). Command-and-Control leverages **Microsoft OneDrive** for the LuckyStrike Agent backdoor.
## Implications
Space Pirates/Erudite Mogwai demonstrates high levels of patience and stealth, maintaining access for nearly two years (March '23 to Nov '24) while slowly navigating a network segment connected to monitoring systems. Their focus on IT firms suggests supply chain/espionage objectives. The use of OneDrive for C2 presents a unique challenge for network monitoring tools accustomed to traditional C2 patterns.
## Mitigations
- Implement rigorous monitoring for slow, lateral movement across enterprise networks, especially following initial compromise of public-facing services.
- Scrutinize outbound traffic for anomalies, particularly communication to consumer cloud services like Microsoft OneDrive being used for C2 channels.
- Maintain up-to-date signatures and behavioral analysis to detect customized malware variants like the modified Stowaway proxy.
- Secure publicly accessible web services diligently, as this was the initial access vector identified in the campaign.