Thursday, March 28, 2024

Chinese Threat Actor Targeting Ukraine Since the Russian Invasion

For the first time since Russia invaded Ukraine, the Computer Emergency Response Team (CERT-UA) of Ukraine has revealed recently that Chinese threat actors have publicly targeted their systems.

A custom backdoor known as HeaderTip has been linked to a Chinese-speaking threat actor named Scarab (aka UAC-0026), claimed by the cybersecurity analysts at cybersecurity firm SentinelOne.

Scarab has been tracking individuals worldwide since at least 2012. This includes American, Russian, and other targets. A prominent feature of Scieron is its use as a custom backdoor, which is thought to be the precursor to HeaderTip malware used in recent Ukrainian campaigns.

UAC-0026 (aka Scarab)

An alert from CERT-UA noted that a RAR file archive had been delivered:-

  • Про збереження відеоматеріалів з фіксацією злочинних дій армії російської федерації.rar

The above malicious archive contains an executable file with a lure document that drops the following DLL file and batch file:-

  • DLL file “officecleaner.dat”
  • Batch file “officecleaner”

A similar attack was spotted in September 2020, which CERT-UA named the malicious DLL ‘HeaderTip.’ While the Chinese threat actors have not previously targeted Ukraine publicly until the UAC-0026 activity.

Lure Documents

A Scarab campaign in September 2020 used lure documents titled “OSCE-wide Counter-Terrorism Conference 2020” in order to target Philippines nationals. And the OSCE stands for Organization for Security and Co-operation in Europe.

Reports from CERT-UA linked to a document disguised as a letter from Ukraine’s National Police, which concerned preserving video evidence of Russian military crimes.

Documents obtained through campaigns use Windows operating system and Chinese language settings, and metadata indicates what the original creator used. In addition, the system has been configured with the user name “用户” (user).

HeaderTip

The malware has been loaded onto target systems using multiple methods. Loader executables contain PDF, batch installers, and HeaderTip malware, which are accessed via resource data.

As a first stage, the malware appears to be designed to deliver a second-stage payload that is more sophisticated and featured a Russian invasion-linked theme.

By using a batch file, HeaderTip DLL is defined, persistence is set under HKCU/Software/Microsoft/Windows/CurrentVersion/Run, and then HeaderTip is executed.

Several geopolitical intelligence agencies may be using Scarab for their purposes and the recent analysis claims that during the US withdrawal from Afghanistan this group has been observed targeting European diplomats.

Researchers noticed that various operating systems using Chinese language settings were used by the employed lure documents in various Scarab campaigns.

The HeaderTip malware is mainly written in C++, and it’s designed as a 32-bit DLL file that in total weighs around 9.7 KB in size. To fetch subsequent modules from a remote server the HeaderTip malware acts as a first-stage package, whose functionality is limited.

Moreover, the Senior Threat Researcher with SentinelOne, Tom Hegel stated:-

“Based on known targets since 2020, including those against Ukraine in March 2022, in addition to specific language use, we assess with moderate confidence that Scarab is Chinese speaking and operating under geopolitical intelligence collection purposes.”

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles