Friday, March 29, 2024

Chinese Threat Actor Targeting Ukraine Since the Russian Invasion

For the first time since Russia invaded Ukraine, the Computer Emergency Response Team (CERT-UA) of Ukraine has revealed recently that Chinese threat actors have publicly targeted their systems.

A custom backdoor known as HeaderTip has been linked to a Chinese-speaking threat actor named Scarab (aka UAC-0026), claimed by the cybersecurity analysts at cybersecurity firm SentinelOne.

Scarab has been tracking individuals worldwide since at least 2012. This includes American, Russian, and other targets. A prominent feature of Scieron is its use as a custom backdoor, which is thought to be the precursor to HeaderTip malware used in recent Ukrainian campaigns.

UAC-0026 (aka Scarab)

An alert from CERT-UA noted that a RAR file archive had been delivered:-

  • Про збереження відеоматеріалів з фіксацією злочинних дій армії російської федерації.rar

The above malicious archive contains an executable file with a lure document that drops the following DLL file and batch file:-

  • DLL file “officecleaner.dat”
  • Batch file “officecleaner”

A similar attack was spotted in September 2020, which CERT-UA named the malicious DLL ‘HeaderTip.’ While the Chinese threat actors have not previously targeted Ukraine publicly until the UAC-0026 activity.

Lure Documents

A Scarab campaign in September 2020 used lure documents titled “OSCE-wide Counter-Terrorism Conference 2020” in order to target Philippines nationals. And the OSCE stands for Organization for Security and Co-operation in Europe.

Reports from CERT-UA linked to a document disguised as a letter from Ukraine’s National Police, which concerned preserving video evidence of Russian military crimes.

Documents obtained through campaigns use Windows operating system and Chinese language settings, and metadata indicates what the original creator used. In addition, the system has been configured with the user name “用户” (user).

HeaderTip

The malware has been loaded onto target systems using multiple methods. Loader executables contain PDF, batch installers, and HeaderTip malware, which are accessed via resource data.

As a first stage, the malware appears to be designed to deliver a second-stage payload that is more sophisticated and featured a Russian invasion-linked theme.

By using a batch file, HeaderTip DLL is defined, persistence is set under HKCU/Software/Microsoft/Windows/CurrentVersion/Run, and then HeaderTip is executed.

Several geopolitical intelligence agencies may be using Scarab for their purposes and the recent analysis claims that during the US withdrawal from Afghanistan this group has been observed targeting European diplomats.

Researchers noticed that various operating systems using Chinese language settings were used by the employed lure documents in various Scarab campaigns.

The HeaderTip malware is mainly written in C++, and it’s designed as a 32-bit DLL file that in total weighs around 9.7 KB in size. To fetch subsequent modules from a remote server the HeaderTip malware acts as a first-stage package, whose functionality is limited.

Moreover, the Senior Threat Researcher with SentinelOne, Tom Hegel stated:-

“Based on known targets since 2020, including those against Ukraine in March 2022, in addition to specific language use, we assess with moderate confidence that Scarab is Chinese speaking and operating under geopolitical intelligence collection purposes.”

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles