Security Experts:

Connect with us

Hi, what are you looking for?



‘Scarab’ Hackers Focus Aim on Select Russian Targets in Attack Campaigns

Researchers at Symantec have identified a group of attackers targeting Russian-speaking individuals since at least January 2012.

Researchers at Symantec have identified a group of attackers targeting Russian-speaking individuals since at least January 2012.

Symantec has dubbed the hacking team “Scarab” and linked the group to several campaigns. In each instance, the attackers have targeted a small group of individuals as opposed to enterprises or governments. On average, less than 10 unique computers are infected per month and there is no indication that the attackers are spreading through the victim’s local network.

“Based on our research, the Scarab attackers are a technically-capable group, judging on how they have custom-developed several malicious tools for these campaigns,” blogged Symantec researcher Gavin O’Gorman. “However, they are not highly skilled or well resourced, as they rely on older exploits and executables stored in compressed archives to distribute their threats.”

Many of the Scarab campaigns distribute the group’s custom malware – which Symantec has named Scieron and Scieron B – through email. Scieron is a backdoor and is used to drop Scieron B., which has a rootkit-like component that masks some of its network activity and includes more backdoor functionality.

The main payload of Scieron is within a DLL file that is dropped either from a Trojanized Microsoft Word document or another portable executable (PE) file. Once the Trojan is on the computer, it can to take a number of actions, including: gathering system information, download additional files and executing and deleting files. In the case of Scieron.B , the malware includes functionality that allows it to hide a Transmission Control Protocol (TCP) port in communications. It also allows the hackers to launch a remote shell and take other actions.

“There are some indications (based on language resources) that the attackers are familiar with Chinese language characters, and they seem to mostly target Russian speakers located in Russia and other regions around the world,” O’Gorman noted. “The group conducts command-and-control (C&C) operations almost exclusively through the use of dynamic domain name system (DNS) domains. The C&C servers are usually hosted in South Korea; however, there have been instances where servers were located in other countries.”

For most of 2012, not much information was available about Scarab’s victims, according to Symantec. However from October 2012, a number of emails sent from the email addresses by attackers were blocked by Symantec.Cloud. These emails targeted Microsoft Word documents exploited a known vulnerability (CVE-2012-0158). The attackers continue to intermittently send emails with .doc malware droppers until August 2013.

On January 22, 2013, the group sent an email with the English language subject “Joint Call For Papers – Conferences / Journal Special Issues, January 2013” to two individuals, O’Gorman noted.

“The attackers sent the message to email accounts associated with an Australian funded academic research project that had concluded in 2010,” he blogged. “It is possible that the researchers were continuing to use the email accounts for unrelated topics and this was why the attackers chose to target them. Seven days later, another email was sent to the same two individuals, this time with a Russian language subject of “Информация по обслуживанию высвобожденны,”which translates to “Service-related information are released” (sic).”

From this point on until at least January of 2014, the attackers began to use finance-related lures, including emails about the G20 Summit.

“From that month on, the attackers have been using “.scr” files to drop Trojan.Scieron,” the researcher blogged. “The titles of these .scr files are usually in Russian, and are a hint as to the nature of the targets. It’s very likely that the .scr files are being delivered by email; however this has not been confirmed. It is also likely and again, unconfirmed−that the .scr files are embedded in .rar files.”

“The Scarab attackers have been consistently targeting a select number of victims with custom malware over the last few years,” O’Gorman added. “While the group uses older exploits, their campaigns seem to have had some success, judging on how they have continued to operate similar campaigns over the years. The attackers’ focus on Russian speakers shows that they have specific targets in mind and they continue to adjust the subject of their email campaigns to successfully compromise their victims.”

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.