Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Chinese threat actor Scarab targets Ukraine, CERT-UA warns

Ukraine CERT (CERT-UA) released details about a campaign that SentinelLabs linked with the suspected Chinese threat actor tracked as Scarab. Ukraine CERT (CERT-UA) published technical details about a malicious activity tracked as UAC-0026, which SentinelLabs associated with China-linked Scarab APT. Scarab APT was first spotted in 2015, but experts believe it has been active since […]

Scarab APT

Ukraine CERT (CERT-UA) released details about a campaign that SentinelLabs linked with the suspected Chinese threat actor tracked as Scarab.

Ukraine CERT (CERT-UA) published technical details about a malicious activity tracked as UAC-0026, which SentinelLabs associated with China-linked Scarab APT. Scarab APT was first spotted in 2015, but experts believe it has been active since at least 2012, conducting surgical attacks against a small number of individuals across the world, including Russia and the United States.

Scarab has conducted multiple cyberspionage campaigns over the years, it employed the custom backdoor Scieron and later the HeaderTip implant.

Experts pointed out that the UAC-0026 activity is the first public example of a Chinese threat actor targeting Ukraine since the beginning of the invasion.

The attacker spread their malware through phishing messages using weaponized documents that deploy the HeaderTip malware. The messages use a RAR-archive titled “On the preservation of video recordings of the criminal actions of the army of the Russian Federation.rar” which included an executable with the same name. The lure document employed in the campaign spotted by CERT-UA mimics the National Police of Ukraine.

“Running the executable file will create a lure document “# 2163_02_33-2022.pdf” (applies to a letter from the National Police of Ukraine), as well as a DLL file with the MZ header “officecleaner.dat” and the BAT file “officecleaner” removed. .bat “, which will ensure the formation of the correct DLL-file, run it and write to the Windows registry to ensure consistency.” reads the advisory published by CERT-UA. “The mentioned DLL-file is classified as a malicious program HeaderTip, the main purpose of which is to download and execute other DLL-files.”

Scarab APT

SentinelLab experts analyzed the infrastructure used by Scarab and several samples of the HeaderTip malware shared by CERT-UA.

“We assess with high confidence the recent CERT-UA activity attributed to UAC-0026 is the Scarab APT group.” reads the analysis published by SentinelLabs. “An initial link can be made through the design of the malware samples and their associated loaders from at least 2020. Further relationships can be identified through the reuse of actor-unique infrastructure between the malware families associated with the groups:

  • 508d106ea0a71f2fd360fda518e1e533e7e584ed (HeaderTip – 2021)
  • 121ea06f391d6b792b3e697191d69dc500436604 (Scieron 2018)
  • Dynamic.ddns[.]mobi (Reused C2 Server)”

The analysis of metadata associated with lure documents suggests the author is using the Windows operating system in a Chinese language setting.

The HeaderTip samples employed by threat actors are 32-bit DLL files written in C++. Experts reported that the HeaderTip malware implements backdoor capabilities and can be also used as a first stage malware.

“ConclusionWe assess with high confidence the recent CERT-UA activity attributed to UAC-0026 is the Scarab APT group and represents the first publicly-reported attack on Ukraine from a non-Russian APT.” concludes SentinelOne. “The HeaderTip malware and associated phishing campaign utilizing Macro-enabled documents appears to be a first-stage infection attempt. At this point in time, the threat actor’s further objectives and motivations remain unclear.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

[adrotate banner=”5″]

[adrotate banner=”13″]