Saturday, January 25, 2025
HomeCyber AttackChinese Threat Actor Targeting Ukraine Since the Russian Invasion

Chinese Threat Actor Targeting Ukraine Since the Russian Invasion

Published on

SIEM as a Service

Follow Us on Google News

For the first time since Russia invaded Ukraine, the Computer Emergency Response Team (CERT-UA) of Ukraine has revealed recently that Chinese threat actors have publicly targeted their systems.

A custom backdoor known as HeaderTip has been linked to a Chinese-speaking threat actor named Scarab (aka UAC-0026), claimed by the cybersecurity analysts at cybersecurity firm SentinelOne.

Scarab has been tracking individuals worldwide since at least 2012. This includes American, Russian, and other targets. A prominent feature of Scieron is its use as a custom backdoor, which is thought to be the precursor to HeaderTip malware used in recent Ukrainian campaigns.

UAC-0026 (aka Scarab)

An alert from CERT-UA noted that a RAR file archive had been delivered:-

  • Про збереження відеоматеріалів з фіксацією злочинних дій армії російської федерації.rar

The above malicious archive contains an executable file with a lure document that drops the following DLL file and batch file:-

  • DLL file “officecleaner.dat”
  • Batch file “officecleaner”

A similar attack was spotted in September 2020, which CERT-UA named the malicious DLL ‘HeaderTip.’ While the Chinese threat actors have not previously targeted Ukraine publicly until the UAC-0026 activity.

Lure Documents

A Scarab campaign in September 2020 used lure documents titled “OSCE-wide Counter-Terrorism Conference 2020” in order to target Philippines nationals. And the OSCE stands for Organization for Security and Co-operation in Europe.

Reports from CERT-UA linked to a document disguised as a letter from Ukraine’s National Police, which concerned preserving video evidence of Russian military crimes.

Documents obtained through campaigns use Windows operating system and Chinese language settings, and metadata indicates what the original creator used. In addition, the system has been configured with the user name “用户” (user).

HeaderTip

The malware has been loaded onto target systems using multiple methods. Loader executables contain PDF, batch installers, and HeaderTip malware, which are accessed via resource data.

As a first stage, the malware appears to be designed to deliver a second-stage payload that is more sophisticated and featured a Russian invasion-linked theme.

By using a batch file, HeaderTip DLL is defined, persistence is set under HKCU/Software/Microsoft/Windows/CurrentVersion/Run, and then HeaderTip is executed.

Several geopolitical intelligence agencies may be using Scarab for their purposes and the recent analysis claims that during the US withdrawal from Afghanistan this group has been observed targeting European diplomats.

Researchers noticed that various operating systems using Chinese language settings were used by the employed lure documents in various Scarab campaigns.

The HeaderTip malware is mainly written in C++, and it’s designed as a 32-bit DLL file that in total weighs around 9.7 KB in size. To fetch subsequent modules from a remote server the HeaderTip malware acts as a first-stage package, whose functionality is limited.

Moreover, the Senior Threat Researcher with SentinelOne, Tom Hegel stated:-

“Based on known targets since 2020, including those against Ukraine in March 2022, in addition to specific language use, we assess with moderate confidence that Scarab is Chinese speaking and operating under geopolitical intelligence collection purposes.”

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

KEYPLUG Infrastructure Exposed: Server Configurations and TLS Certificates Revealed

In a recent technical investigation, researchers uncovered critical insights into the infrastructure linked to...