For the first time since Russia invaded Ukraine, the Computer Emergency Response Team (CERT-UA) of Ukraine has revealed recently that Chinese threat actors have publicly targeted their systems.
A custom backdoor known as HeaderTip has been linked to a Chinese-speaking threat actor named Scarab (aka UAC-0026), claimed by the cybersecurity analysts at cybersecurity firm SentinelOne.
Scarab has been tracking individuals worldwide since at least 2012. This includes American, Russian, and other targets. A prominent feature of Scieron is its use as a custom backdoor, which is thought to be the precursor to HeaderTip malware used in recent Ukrainian campaigns.
UAC-0026 (aka Scarab)
An alert from CERT-UA noted that a RAR file archive had been delivered:-
- Про збереження відеоматеріалів з фіксацією злочинних дій армії російської федерації.rar
The above malicious archive contains an executable file with a lure document that drops the following DLL file and batch file:-
- DLL file “officecleaner.dat”
- Batch file “officecleaner”
A similar attack was spotted in September 2020, which CERT-UA named the malicious DLL ‘HeaderTip.’ While the Chinese threat actors have not previously targeted Ukraine publicly until the UAC-0026 activity.
A Scarab campaign in September 2020 used lure documents titled “OSCE-wide Counter-Terrorism Conference 2020” in order to target Philippines nationals. And the OSCE stands for Organization for Security and Co-operation in Europe.
Reports from CERT-UA linked to a document disguised as a letter from Ukraine’s National Police, which concerned preserving video evidence of Russian military crimes.
Documents obtained through campaigns use Windows operating system and Chinese language settings, and metadata indicates what the original creator used. In addition, the system has been configured with the user name “用户” (user).
The malware has been loaded onto target systems using multiple methods. Loader executables contain PDF, batch installers, and HeaderTip malware, which are accessed via resource data.
As a first stage, the malware appears to be designed to deliver a second-stage payload that is more sophisticated and featured a Russian invasion-linked theme.
By using a batch file, HeaderTip DLL is defined, persistence is set under HKCU/Software/Microsoft/Windows/CurrentVersion/Run, and then HeaderTip is executed.
Several geopolitical intelligence agencies may be using Scarab for their purposes and the recent analysis claims that during the US withdrawal from Afghanistan this group has been observed targeting European diplomats.
Researchers noticed that various operating systems using Chinese language settings were used by the employed lure documents in various Scarab campaigns.
The HeaderTip malware is mainly written in C++, and it’s designed as a 32-bit DLL file that in total weighs around 9.7 KB in size. To fetch subsequent modules from a remote server the HeaderTip malware acts as a first-stage package, whose functionality is limited.
Moreover, the Senior Threat Researcher with SentinelOne, Tom Hegel stated:-
“Based on known targets since 2020, including those against Ukraine in March 2022, in addition to specific language use, we assess with moderate confidence that Scarab is Chinese speaking and operating under geopolitical intelligence collection purposes.”