Ukraine’s Computer Emergency Response Team (CERT-UA) released evidence last week regarding a malicious campaign tracked as UAC-0026, which SentinelLabs associated with China-linked Scarab APT. threat actors.
Scarab APT was first spotted in 2015, but researchers believe it has been active since at least 2012, conducting surgical assaults against multiple nations across the globe, including Russia and the United States.
Threat actors are targeting the Ukrainian system by distributing malware via phishing messages using weaponized documents that deploy the HeaderTip malware. The phishing texts employ a RAR-archive titled “On the preservation of video recordings of the criminal actions of the army of the Russian Federation.rar” which contains the EXE-file of the same name. The malicious document employed in the campaign spotted by CERT-UA mimics the National Police of Ukraine.
“Running the executable file will create a lure document ‘# 2163_02_33-2022.pdf’ on the computer (applies to a letter from the National Police of Ukraine), as well as a DLL file with the MZ header ‘officecleaner.dat’ and the BAT file ‘officecleaner’ removed. .bat,’ which will ensure the formation of the correct DLL-file, run it and write to the Windows registry to ensure consistency. The mentioned DLL-file is classified as a malicious program HeaderTip, the main purpose of which is to download and execute other DLL-files.”
The HeaderTip samples employed by Chinese hackers are 32-bit DLL files written in C++. The malware executes backdoor capabilities and is also used as a first-stage malware.
CERT-UA, which did not mention China or Scarab in its alert, added that identical attacks were observed in September last year. According to SentinelOne, it was able to tie UAC-0026 to Scarab through an analysis of the malware employed in the assault.
“Further relationships can be identified through the reuse of actor-unique infrastructure between the malware families associated with the groups,” SentinelOne explained, adding that there is sufficient evidence depicting that the author of the malware is employing the Windows operating system in a Chinese language setting.
“Based on known targets since 2020, including those against Ukraine in March 2022, in addition to specific language use, we assess with moderate confidence that Scarab is Chinese speaking and operating under geopolitical intelligence collection purposes,” SentinelOne concluded.
