Threat Intelligence
1/25/2016
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'Scarlet Mimic' Hackers Snoop On Minority Activists In China

Weapon of choice is the FakeM Windows backdoor, but it's making moves to more platforms.

A four-year long cyber-attack campaign with the primary mission of gathering information about minority activist groups in China has been discovered by researchers at Palo Alto Network's Unit 42.

Palo Alto has been following the group, which they've dubbed Scarlet Mimic, for the past seven months. Targets were mainly social rights activists representing the Tibetan and Uyghur minorities in China, as well as government agenices in Russia and India. The most recent attacks took place in 2015, and according to researchers, show that Scarlet Mimic is interested in knowing more about the Muslim activists and people interested in critiques of the Russian government.

Researchers say there is no evidence linking Scarlet Mimic to a government source, but that it is "likely a well-funded and skillfully resourced cyber adversary," and that the group's motives are similar to the stated positions of the Chinese government.

Scarlet Mimic's main weapon of choice is FakeM, a shellcode-based Windows backdoor so named because its command-and-control traffic evades detection by mimicking Windows Messenger and Yahoo Messenger.

FakeM has been evolving with the help of Scarlet Mimic's developers, according to Palo Alto. Researchers discovered FakeM variants that use SSL to encrypt command-and-control communications; one variant even uses a customized SSL protocol that skips the traditional "client hello" SSL handshake.

Scarlet Mimic actively developed nine different loader families to deliver FakeM and is also expanding its attacks to more platforms. Palo Alto researchers discovered other tools sharing infrastructure with FakeM -- including the CallMe Trojan, built to exploit Mac OSX, and Psylo, a discovered shellcode-based uploader/downloader similar to FakeM that shares infrastructure with MobileOrder, a Trojan for compromising Android mobile devices. "The connection between FakeM, Psylo, and MobileOrder suggest that Scarlet Mimic is now expanding their espionage efforts from PCs to mobile devices, which marks a major shift in tactics," say researchers.

The group favors spearphishing, with heavy use of decoy documents, as well as watering hole attacks. Yet, it wasn't as sophisticated and hands-on when creating those malicious documents as it was creating its Trojans and payloads. Some of the malicious documents were created with the MNKit, WingD, and Tran Duy Linh toolkits, which are also used by other threat actors.

Decoy documents included a World Uyghur Congress press release, a graphic comparing Vladimir Putin to Adolph Hitler, and a New York Times article about Chinese police seizing the ashes of a Tibetan monk.

Sometimes the attackers trick targets into directly executing the payload, but they've also exploited five different vulnerabilities to extract information without authorization -- including a memory corruption bug in Excel, a system state corruption bug in Active X, a buffer overflow in PowerPoint, and stack-based buffer overflows in Microsoft Office and the CoolType DLL in Adobe Reader and Acrobat.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/28/2016 | 11:36:54 AM
Re: Sandboxing for the win?
While VM sounds like a feasible solution, you have to assume your cloud account won't also be targeted - which it will be.  A toss-away VM only works if the data you need to work with is not under threat of compromise, too.  That said, this is where Tor comes in and while the networks have long been hit with negative press due to the "dark net", Tor could be the answer to keeping activists safe.  

In addition to the problems above you need to realize that not all activists are tech-savvy.  A critical component of any activist group should be a hacktivist who can guide users to safer computing practices and to head off attacks (either through offensive tactics, or diversion through social hacks) like those detailed in the article.    
Jason Echols
50%
50%
Jason Echols,
User Rank: Apprentice
1/26/2016 | 10:38:11 AM
Sandboxing for the win?
If you knew you were being directly targeted by a powerful state actor, I wonder if it would be feasible to run from a virtual OS/App environment like VirtualBox that you started fresh daily? Cloud services could keep your files synced as most of these attacks seem to be aimed at the OS or apps. It's more work, but may be worth it to avoid tracking/jail for these folks.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/25/2016 | 11:21:04 PM
Sophistication in Big Brother's (or Comrade's) Evolution
I was just reading the press release from Palo Alto Networks on this story.  This is a good case study in combative hacking techniques that can be used both for good and bad (depending on your POV) group monitoring activities.  The use of bait that is well-researched and targeted in content demonstrates the care that has gone into the development of this system.

Malware Tracker, Kaspersky - many others - have great data on Tran Duy Linh and it's worth the time to read the history there.  I look forward to reading the full length papers on this from PAN soon.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Equal pay--easy; equal work--not so much.
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.