Chinese threat actor Scarab targets Ukraine, CERT-UA warns

Ukraine CERT (CERT-UA) released details about a campaign that SentinelLabs linked with the suspected Chinese threat actor tracked as Scarab.

Ukraine CERT (CERT-UA) published technical details about a malicious activity tracked as UAC-0026, which SentinelLabs associated with China-linked Scarab APT. Scarab APT was first spotted in 2015, but experts believe it has been active since at least 2012, conducting surgical attacks against a small number of individuals across the world, including Russia and the United States.

Scarab has conducted multiple cyberspionage campaigns over the years, it employed the custom backdoor Scieron and later the HeaderTip implant.

Experts pointed out that the UAC-0026 activity is the first public example of a Chinese threat actor targeting Ukraine since the beginning of the invasion.

The attacker spread their malware through phishing messages using weaponized documents that deploy the HeaderTip malware. The messages use a RAR-archive titled “On the preservation of video recordings of the criminal actions of the army of the Russian Federation.rar” which included an executable with the same name. The lure document employed in the campaign spotted by CERT-UA mimics the National Police of Ukraine.

“Running the executable file will create a lure document “# 2163_02_33-2022.pdf” (applies to a letter from the National Police of Ukraine), as well as a DLL file with the MZ header “officecleaner.dat” and the BAT file “officecleaner” removed. .bat “, which will ensure the formation of the correct DLL-file, run it and write to the Windows registry to ensure consistency.” reads the advisory published by CERT-UA. “The mentioned DLL-file is classified as a malicious program HeaderTip, the main purpose of which is to download and execute other DLL-files.”

SentinelLab experts analyzed the infrastructure used by Scarab and several samples of the HeaderTip malware shared by CERT-UA.

“We assess with high confidence the recent CERT-UA activity attributed to UAC-0026 is the Scarab APT group.” reads the analysis published by SentinelLabs. “An initial link can be made through the design of the malware samples and their associated loaders from at least 2020. Further relationships can be identified through the reuse of actor-unique infrastructure between the malware families associated with the groups:

• 508d106ea0a71f2fd360fda518e1e533e7e584ed (HeaderTip – 2021)
• 121ea06f391d6b792b3e697191d69dc500436604 (Scieron 2018)
• Dynamic.ddns[.]mobi (Reused C2 Server)”

The analysis of metadata associated with lure documents suggests the author is using the Windows operating system in a Chinese language setting.

The HeaderTip samples employed by threat actors are 32-bit DLL files written in C++. Experts reported that the HeaderTip malware implements backdoor capabilities and can be also used as a first stage malware.

“ConclusionWe assess with high confidence the recent CERT-UA activity attributed to UAC-0026 is the Scarab APT group and represents the first publicly-reported attack on Ukraine from a non-Russian APT.” concludes SentinelOne. “The HeaderTip malware and associated phishing campaign utilizing Macro-enabled documents appears to be a first-stage infection attempt. At this point in time, the threat actor’s further objectives and motivations remain unclear.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

[adrotate banner=”5″]

[adrotate banner=”13″]