Last Updated on 27/03/2022 by Nidhi Khandelwal
Scarab, a Chinese-speaking threat actor, has been linked to a bespoke backdoor known as HeaderTip as part of a campaign targeting Ukraine since Russia’s incursion last month, making it the second China-based hacking outfit to profit from the war following Mustang Panda.
In a report released this week, SentinelOne analyst Tom Hegel said, “The malicious behavior is one of the first public examples of a Chinese threat actor targeting Ukraine since the invasion began.”
SentinelOne’s findings come after a warning from Ukraine’s Computer Emergency Response Team (CERT-UA) earlier this week outlining a spear-phishing campaign that involves the delivery of a RAR archive file that includes an executable that is designed to open a decoy file while also dropping a malicious DLL called HeaderTip in the background.
Scarab was first discovered in January 2015 by the Symantec Threat Hunter Team, a division of Broadcom Software, which described extremely focused operations against Russian-speaking persons dating back to January 2012 in order to introduce a backdoor known as Scieron.
“If the attackers are successful in gaining access to the victims’ machines, they employ a simple backdoor threat called Trojan.Scieron to install Trojan.Scieron.B,” Symantec researchers explained at the time. “Trojan.Scieron.B has a rootkit-like component that masks some of its network activity and has improved back door capabilities,” says the researcher.
The links between HeaderTip and Scarab arise from malware and infrastructure overlaps with Scieron, which SentinelOne describes as a forerunner of the newly found backdoor. HeaderTip is a 9.7 KB 32-bit DLL file written in C++ whose functionality is confined to acting as a first-stage package for retrieving next-stage modules from a remote server.