Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

06:00 PM
Connect Directly

'Scarlet Mimic' Hackers Snoop On Minority Activists In China

Weapon of choice is the FakeM Windows backdoor, but it's making moves to more platforms.

A four-year long cyber-attack campaign with the primary mission of gathering information about minority activist groups in China has been discovered by researchers at Palo Alto Network's Unit 42.

Palo Alto has been following the group, which they've dubbed Scarlet Mimic, for the past seven months. Targets were mainly social rights activists representing the Tibetan and Uyghur minorities in China, as well as government agenices in Russia and India. The most recent attacks took place in 2015, and according to researchers, show that Scarlet Mimic is interested in knowing more about the Muslim activists and people interested in critiques of the Russian government.

Researchers say there is no evidence linking Scarlet Mimic to a government source, but that it is "likely a well-funded and skillfully resourced cyber adversary," and that the group's motives are similar to the stated positions of the Chinese government.

Scarlet Mimic's main weapon of choice is FakeM, a shellcode-based Windows backdoor so named because its command-and-control traffic evades detection by mimicking Windows Messenger and Yahoo Messenger.

FakeM has been evolving with the help of Scarlet Mimic's developers, according to Palo Alto. Researchers discovered FakeM variants that use SSL to encrypt command-and-control communications; one variant even uses a customized SSL protocol that skips the traditional "client hello" SSL handshake.

Scarlet Mimic actively developed nine different loader families to deliver FakeM and is also expanding its attacks to more platforms. Palo Alto researchers discovered other tools sharing infrastructure with FakeM -- including the CallMe Trojan, built to exploit Mac OSX, and Psylo, a discovered shellcode-based uploader/downloader similar to FakeM that shares infrastructure with MobileOrder, a Trojan for compromising Android mobile devices. "The connection between FakeM, Psylo, and MobileOrder suggest that Scarlet Mimic is now expanding their espionage efforts from PCs to mobile devices, which marks a major shift in tactics," say researchers.

The group favors spearphishing, with heavy use of decoy documents, as well as watering hole attacks. Yet, it wasn't as sophisticated and hands-on when creating those malicious documents as it was creating its Trojans and payloads. Some of the malicious documents were created with the MNKit, WingD, and Tran Duy Linh toolkits, which are also used by other threat actors.

Decoy documents included a World Uyghur Congress press release, a graphic comparing Vladimir Putin to Adolph Hitler, and a New York Times article about Chinese police seizing the ashes of a Tibetan monk.

Sometimes the attackers trick targets into directly executing the payload, but they've also exploited five different vulnerabilities to extract information without authorization -- including a memory corruption bug in Excel, a system state corruption bug in Active X, a buffer overflow in PowerPoint, and stack-based buffer overflows in Microsoft Office and the CoolType DLL in Adobe Reader and Acrobat.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/28/2016 | 11:36:54 AM
Re: Sandboxing for the win?
While VM sounds like a feasible solution, you have to assume your cloud account won't also be targeted - which it will be.  A toss-away VM only works if the data you need to work with is not under threat of compromise, too.  That said, this is where Tor comes in and while the networks have long been hit with negative press due to the "dark net", Tor could be the answer to keeping activists safe.  

In addition to the problems above you need to realize that not all activists are tech-savvy.  A critical component of any activist group should be a hacktivist who can guide users to safer computing practices and to head off attacks (either through offensive tactics, or diversion through social hacks) like those detailed in the article.    
Jason Echols
Jason Echols,
User Rank: Apprentice
1/26/2016 | 10:38:11 AM
Sandboxing for the win?
If you knew you were being directly targeted by a powerful state actor, I wonder if it would be feasible to run from a virtual OS/App environment like VirtualBox that you started fresh daily? Cloud services could keep your files synced as most of these attacks seem to be aimed at the OS or apps. It's more work, but may be worth it to avoid tracking/jail for these folks.
User Rank: Ninja
1/25/2016 | 11:21:04 PM
Sophistication in Big Brother's (or Comrade's) Evolution
I was just reading the press release from Palo Alto Networks on this story.  This is a good case study in combative hacking techniques that can be used both for good and bad (depending on your POV) group monitoring activities.  The use of bait that is well-researched and targeted in content demonstrates the care that has gone into the development of this system.

Malware Tracker, Kaspersky - many others - have great data on Tran Duy Linh and it's worth the time to read the history there.  I look forward to reading the full length papers on this from PAN soon.
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An integer overflow exists in the APIs of the host MCU while trying to connect to a WIFI network may lead to issues such as a denial-of-service condition or code execution on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4....
PUBLISHED: 2021-05-07
Nim is a statically typed compiled systems programming language. In Nim standard library before 1.4.2, httpClient SSL/TLS certificate verification was disabled by default. Users can upgrade to version 1.4.2 to receive a patch or, as a workaround, set "verifyMode = CVerifyPeer" as documente...
PUBLISHED: 2021-05-07
IBM Robotic Process Automation with Automation Anywhere 11.0 could allow an attacker on the network to obtain sensitive information or cause a denial of service through username enumeration. IBM X-Force ID: 190992.
PUBLISHED: 2021-05-07
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reas...
PUBLISHED: 2021-05-07
The affected product allows attackers to obtain sensitive information from the WISE-PaaS dashboard. The system contains a hard-coded administrator username and password that can be used to query Grafana APIs. Authentication is not required for exploitation on the WISE-PaaS/RMM (versions prior to 9.0...