Chinese Scarab Group Launches Cyberattacks on Ukrainian Companies
The Chinese cybercriminal group known as Scarab has targeted organizations in Ukraine using a specialized backdoor called HeaderTip. According to experts from SentinelOne, the groupโs spear-phishing campaign involves sending a RAR archive containing an executable file designed to stealthily install a malicious DLL library named HeaderTip in the background.
Background on the Scarab Group
The Scarab group was first identified by the Symantec Threat Hunter team in January 2015. However, the criminals had been conducting attacks against Russian-speaking individuals since at least January 2012, primarily to deploy a backdoor known as Scieron.
Technical Details of HeaderTip
Experts have linked HeaderTip to the Scarab group based on similarities in malware characteristics and infrastructure with Scieron. HeaderTip is a 32-bit DLL file written in C++, with a size of 9.7 KB. Its functionality is limited to acting as a first-stage loader, enabling the download of additional modules from a remote server.
Attack Methods and Objectives
According to cybersecurity specialists, Scarabโs activities are aimed at gathering geopolitical intelligence. The phishing attacks use lure documents that appear to be sent on behalf of the National Police of Ukraine. Metadata from these documents, collected from various campaigns, indicates that the creator uses a Windows operating system configured in Chinese.