The Chinese cybercrime group Scarab used a special backdoor called HeaderTip as part of a campaign aimed at Ukrainian organizations.
According to experts from SentinelOne, the organizers of the targeted phishing campaign are sending out a RAR archive with an executable file designed to secretly install a malicious DLL library called HeaderTip in the background.
The Scarab grouping was discovered by the Symantec Threat Hunter team in January 2015. Criminals have been carrying out attacks against Russian-speaking individuals since at least January 2012 in order to deploy a backdoor called Scieron.
Experts have linked the HeaderTip to the Scarab grouping, based on the similarity of malware and infrastructure with Scieron. The header, created as a 32-bit DLL file and written in the C++ programming language, has a size of 9.7 KB, and its functionality is limited to working as a first-stage package to load the next-stage modules from a remote server.
According to information security experts, the members of the Scarab group act in order to collect geopolitical information.
Phishing attacks use a decoy document allegedly sent on behalf of the National Police of Ukraine. Decoy documents from various campaigns contain metadata indicating that their creator uses the Windows operating system with settings in Chinese.