Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

‘Scarab’ Hackers Focus Aim on Select Russian Targets in Attack Campaigns

Researchers at Symantec have identified a group of attackers targeting Russian-speaking individuals since at least January 2012.

Researchers at Symantec have identified a group of attackers targeting Russian-speaking individuals since at least January 2012.

Symantec has dubbed the hacking team “Scarab” and linked the group to several campaigns. In each instance, the attackers have targeted a small group of individuals as opposed to enterprises or governments. On average, less than 10 unique computers are infected per month and there is no indication that the attackers are spreading through the victim’s local network.

“Based on our research, the Scarab attackers are a technically-capable group, judging on how they have custom-developed several malicious tools for these campaigns,” blogged Symantec researcher Gavin O’Gorman. “However, they are not highly skilled or well resourced, as they rely on older exploits and executables stored in compressed archives to distribute their threats.”

Many of the Scarab campaigns distribute the group’s custom malware – which Symantec has named Scieron and Scieron B – through email. Scieron is a backdoor and is used to drop Scieron B., which has a rootkit-like component that masks some of its network activity and includes more backdoor functionality.

The main payload of Scieron is within a DLL file that is dropped either from a Trojanized Microsoft Word document or another portable executable (PE) file. Once the Trojan is on the computer, it can to take a number of actions, including: gathering system information, download additional files and executing and deleting files. In the case of Scieron.B , the malware includes functionality that allows it to hide a Transmission Control Protocol (TCP) port in communications. It also allows the hackers to launch a remote shell and take other actions.

“There are some indications (based on language resources) that the attackers are familiar with Chinese language characters, and they seem to mostly target Russian speakers located in Russia and other regions around the world,” O’Gorman noted. “The group conducts command-and-control (C&C) operations almost exclusively through the use of dynamic domain name system (DNS) domains. The C&C servers are usually hosted in South Korea; however, there have been instances where servers were located in other countries.”

For most of 2012, not much information was available about Scarab’s victims, according to Symantec. However from October 2012, a number of emails sent from the @yandex.ru email addresses by attackers were blocked by Symantec.Cloud. These emails targeted Microsoft Word documents exploited a known vulnerability (CVE-2012-0158). The attackers continue to intermittently send emails with .doc malware droppers until August 2013.

On January 22, 2013, the group sent an email with the English language subject “Joint Call For Papers – Conferences / Journal Special Issues, January 2013” to two individuals, O’Gorman noted.

Advertisement. Scroll to continue reading.

“The attackers sent the message to email accounts associated with an Australian funded academic research project that had concluded in 2010,” he blogged. “It is possible that the researchers were continuing to use the email accounts for unrelated topics and this was why the attackers chose to target them. Seven days later, another email was sent to the same two individuals, this time with a Russian language subject of “Информация по обслуживанию высвобожденны,”which translates to “Service-related information are released” (sic).”

From this point on until at least January of 2014, the attackers began to use finance-related lures, including emails about the G20 Summit.

“From that month on, the attackers have been using “.scr” files to drop Trojan.Scieron,” the researcher blogged. “The titles of these .scr files are usually in Russian, and are a hint as to the nature of the targets. It’s very likely that the .scr files are being delivered by email; however this has not been confirmed. It is also likely and again, unconfirmed−that the .scr files are embedded in .rar files.”

“The Scarab attackers have been consistently targeting a select number of victims with custom malware over the last few years,” O’Gorman added. “While the group uses older exploits, their campaigns seem to have had some success, judging on how they have continued to operate similar campaigns over the years. The attackers’ focus on Russian speakers shows that they have specific targets in mind and they continue to adjust the subject of their email campaigns to successfully compromise their victims.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.