Pular para o conteúdo principal

Another Chinese Hacking Group Spotted Targeting Ukraine Amid Russia Invasion

A Chinese-speaking threat actor called Scarab has been linked to a custom backdoor dubbed HeaderTip as part of a campaign targeting Ukraine since Russia embarked on an invasion last month, making it the second China-based hacking group after Mustang Panda to capitalize on the conflict.

"The malicious activity represents one of the first public examples of a Chinese threat actor targeting Ukraine since the invasion began," SentinelOne researcher Tom Hegel said in a report published this week.

SentinelOne's analysis follows an advisory from Ukraine's Computer Emergency Response Team (CERT-UA) earlier this week outlining a spear-phishing campaign that leads to the delivery of a RAR archive file, which comes with an executable that's designed to open a decoy file while stealthily dropping a malicious DLL called HeaderTip in the background.

Scarab was first documented by the Symantec Threat Hunter Team, part of Broadcom Software, in January 2015, when it detailed highly targeted attacks against Russian-speaking individuals since at least January 2012 to deploy a backdoor called Scieron.

"If the attackers successfully compromise the victims' computers, then they use a basic backdoor threat called Trojan.Scieron to drop Trojan.Scieron.B onto the computer," Symantec researchers noted at the time. "Trojan.Scieron.B has a rootkit-like component that hides some of its network activity and features more enhanced back door functionality."

HeaderTip's connections to Scarab come from malware and infrastructure overlaps to that of Scieron, with SentinelOne calling the latter a predecessor of the newly discovered backdoor. Designed as a 32-bit DLL file and written in C++, HeaderTip is 9.7 KB in size and its functionality is limited to acting as a first-stage package for fetching next-stage modules from a remote server.

"Based on known targets since 2020, including those against Ukraine in March 2022, in addition to specific language use, we assess with moderate confidence that Scarab is Chinese speaking and operating under geopolitical intelligence collection purposes," Hegel said.

Comentários

Postar um comentário

Postagens mais visitadas deste blog

"Polymath" Plataforma Baseada na Ethereum Blockchain Poderia Revolucionar Transações de Valores Mobiliários

As ofertas iniciais de moedas (Em inglês Initial Coin Offerings -  ICO ) arrecadaram mais de US $ 4 bilhões de dólares desde 2013, e as agências governamentais estão analisando suas implicações regulatórias. Alguns tokens emitidos através dessa oferta podem ser considerados "tokens de valores mobiliários" e até mesmo em violação das leis de valores mobiliários. Um novo, o protocolo descentralizado, no entanto, está se preparando para tornar mais fácil do que nunca a emissão de toques de cadeias de blocos com recursos. E isso inclui valores mobiliários. "O Polymath facilita os tokens de títulos na cadeia de blocos através de uma rede de participantes coordenados que são incentivados pela POLY, nosso token nativo", disse o Fundador e CEO da Polymath , Trevor Koverko, à CCN. "Nós criamos um novo padrão de token que faz os requisitos necessários, como KYC e AML, nos próprios tokens". A plataforma Polymath destina-se a reduzir as barreiras para
Postar um comentário
Leia mais

All You Need to Know About Emotet in 2022

For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it. Why is everyone scared of Emotet? Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication. http://dlvr.it/SdR6Bq
Postar um comentário
Leia mais

Password Reset Hack Exposed in Honda's E-Commerce Platform, Dealers Data at Risk

Security vulnerabilities discovered in Honda's e-commerce platform could have been exploited to gain unrestricted access to sensitive dealer information. "Broken/missing access controls made it possible to access all data on the platform, even when logged in as a test account," security researcher Eaton Zveare said in a report published last week. The platform is designed for the sale of power http://dlvr.it/SqbFDX
Postar um comentário
Leia mais