Researchers at Symantec have identified a group of attackers targeting Russian-speaking individuals since at least January 2012.
Symantec has dubbed the hacking team “Scarab” and linked the group to several campaigns. In each instance, the attackers have targeted a small group of individuals as opposed to enterprises or governments. On average, less than 10 unique computers are infected per month and there is no indication that the attackers are spreading through the victim’s local network.
“Based on our research, the Scarab attackers are a technically-capable group, judging on how they have custom-developed several malicious tools for these campaigns,” blogged Symantec researcher Gavin O’Gorman. “However, they are not highly skilled or well resourced, as they rely on older exploits and executables stored in compressed archives to distribute their threats.”
Many of the Scarab campaigns distribute the group’s custom malware – which Symantec has named Scieron and Scieron B – through email. Scieron is a backdoor and is used to drop Scieron B., which has a rootkit-like component that masks some of its network activity and includes more backdoor functionality.
The main payload of Scieron is within a DLL file that is dropped either from a Trojanized Microsoft Word document or another portable executable (PE) file. Once the Trojan is on the computer, it can to take a number of actions, including: gathering system information, download additional files and executing and deleting files. In the case of Scieron.B , the malware includes functionality that allows it to hide a Transmission Control Protocol (TCP) port in communications. It also allows the hackers to launch a remote shell and take other actions.
“There are some indications (based on language resources) that the attackers are familiar with Chinese language characters, and they seem to mostly target Russian speakers located in Russia and other regions around the world,” O’Gorman noted. “The group conducts command-and-control (C&C) operations almost exclusively through the use of dynamic domain name system (DNS) domains. The C&C servers are usually hosted in South Korea; however, there have been instances where servers were located in other countries.”
For most of 2012, not much information was available about Scarab’s victims, according to Symantec. However from October 2012, a number of emails sent from the @yandex.ru email addresses by attackers were blocked by Symantec.Cloud. These emails targeted Microsoft Word documents exploited a known vulnerability (CVE-2012-0158). The attackers continue to intermittently send emails with .doc malware droppers until August 2013.
On January 22, 2013, the group sent an email with the English language subject “Joint Call For Papers – Conferences / Journal Special Issues, January 2013” to two individuals, O’Gorman noted.
“The attackers sent the message to email accounts associated with an Australian funded academic research project that had concluded in 2010,” he blogged. “It is possible that the researchers were continuing to use the email accounts for unrelated topics and this was why the attackers chose to target them. Seven days later, another email was sent to the same two individuals, this time with a Russian language subject of “Информация по обслуживанию высвобожденны,”which translates to “Service-related information are released” (sic).”
From this point on until at least January of 2014, the attackers began to use finance-related lures, including emails about the G20 Summit.
“From that month on, the attackers have been using “.scr” files to drop Trojan.Scieron,” the researcher blogged. “The titles of these .scr files are usually in Russian, and are a hint as to the nature of the targets. It’s very likely that the .scr files are being delivered by email; however this has not been confirmed. It is also likely and again, unconfirmed−that the .scr files are embedded in .rar files.”
“The Scarab attackers have been consistently targeting a select number of victims with custom malware over the last few years,” O’Gorman added. “While the group uses older exploits, their campaigns seem to have had some success, judging on how they have continued to operate similar campaigns over the years. The attackers’ focus on Russian speakers shows that they have specific targets in mind and they continue to adjust the subject of their email campaigns to successfully compromise their victims.”