A four-year long cyber-attack campaign with the primary mission of gathering information about minority activist groups in China has been discovered by researchers at Palo Alto Network's Unit 42.
Palo Alto has been following the group, which they've dubbed Scarlet Mimic, for the past seven months. Targets were mainly social rights activists representing the Tibetan and Uyghur minorities in China, as well as government agenices in Russia and India. The most recent attacks took place in 2015, and according to researchers, show that Scarlet Mimic is interested in knowing more about the Muslim activists and people interested in critiques of the Russian government.
Researchers say there is no evidence linking Scarlet Mimic to a government source, but that it is "likely a well-funded and skillfully resourced cyber adversary," and that the group's motives are similar to the stated positions of the Chinese government.
Scarlet Mimic's main weapon of choice is FakeM, a shellcode-based Windows backdoor so named because its command-and-control traffic evades detection by mimicking Windows Messenger and Yahoo Messenger.
FakeM has been evolving with the help of Scarlet Mimic's developers, according to Palo Alto. Researchers discovered FakeM variants that use SSL to encrypt command-and-control communications; one variant even uses a customized SSL protocol that skips the traditional "client hello" SSL handshake.
Scarlet Mimic actively developed nine different loader families to deliver FakeM and is also expanding its attacks to more platforms. Palo Alto researchers discovered other tools sharing infrastructure with FakeM -- including the CallMe Trojan, built to exploit Mac OSX, and Psylo, a discovered shellcode-based uploader/downloader similar to FakeM that shares infrastructure with MobileOrder, a Trojan for compromising Android mobile devices. "The connection between FakeM, Psylo, and MobileOrder suggest that Scarlet Mimic is now expanding their espionage efforts from PCs to mobile devices, which marks a major shift in tactics," say researchers.
The group favors spearphishing, with heavy use of decoy documents, as well as watering hole attacks. Yet, it wasn't as sophisticated and hands-on when creating those malicious documents as it was creating its Trojans and payloads. Some of the malicious documents were created with the MNKit, WingD, and Tran Duy Linh toolkits, which are also used by other threat actors.
Decoy documents included a World Uyghur Congress press release, a graphic comparing Vladimir Putin to Adolph Hitler, and a New York Times article about Chinese police seizing the ashes of a Tibetan monk.
Sometimes the attackers trick targets into directly executing the payload, but they've also exploited five different vulnerabilities to extract information without authorization -- including a memory corruption bug in Excel, a system state corruption bug in Active X, a buffer overflow in PowerPoint, and stack-based buffer overflows in Microsoft Office and the CoolType DLL in Adobe Reader and Acrobat.