Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/25/2016
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'Scarlet Mimic' Hackers Snoop On Minority Activists In China

Weapon of choice is the FakeM Windows backdoor, but it's making moves to more platforms.

A four-year long cyber-attack campaign with the primary mission of gathering information about minority activist groups in China has been discovered by researchers at Palo Alto Network's Unit 42.

Palo Alto has been following the group, which they've dubbed Scarlet Mimic, for the past seven months. Targets were mainly social rights activists representing the Tibetan and Uyghur minorities in China, as well as government agenices in Russia and India. The most recent attacks took place in 2015, and according to researchers, show that Scarlet Mimic is interested in knowing more about the Muslim activists and people interested in critiques of the Russian government.

Researchers say there is no evidence linking Scarlet Mimic to a government source, but that it is "likely a well-funded and skillfully resourced cyber adversary," and that the group's motives are similar to the stated positions of the Chinese government.

Scarlet Mimic's main weapon of choice is FakeM, a shellcode-based Windows backdoor so named because its command-and-control traffic evades detection by mimicking Windows Messenger and Yahoo Messenger.

FakeM has been evolving with the help of Scarlet Mimic's developers, according to Palo Alto. Researchers discovered FakeM variants that use SSL to encrypt command-and-control communications; one variant even uses a customized SSL protocol that skips the traditional "client hello" SSL handshake.

Scarlet Mimic actively developed nine different loader families to deliver FakeM and is also expanding its attacks to more platforms. Palo Alto researchers discovered other tools sharing infrastructure with FakeM -- including the CallMe Trojan, built to exploit Mac OSX, and Psylo, a discovered shellcode-based uploader/downloader similar to FakeM that shares infrastructure with MobileOrder, a Trojan for compromising Android mobile devices. "The connection between FakeM, Psylo, and MobileOrder suggest that Scarlet Mimic is now expanding their espionage efforts from PCs to mobile devices, which marks a major shift in tactics," say researchers.

The group favors spearphishing, with heavy use of decoy documents, as well as watering hole attacks. Yet, it wasn't as sophisticated and hands-on when creating those malicious documents as it was creating its Trojans and payloads. Some of the malicious documents were created with the MNKit, WingD, and Tran Duy Linh toolkits, which are also used by other threat actors.

Decoy documents included a World Uyghur Congress press release, a graphic comparing Vladimir Putin to Adolph Hitler, and a New York Times article about Chinese police seizing the ashes of a Tibetan monk.

Sometimes the attackers trick targets into directly executing the payload, but they've also exploited five different vulnerabilities to extract information without authorization -- including a memory corruption bug in Excel, a system state corruption bug in Active X, a buffer overflow in PowerPoint, and stack-based buffer overflows in Microsoft Office and the CoolType DLL in Adobe Reader and Acrobat.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/28/2016 | 11:36:54 AM
Re: Sandboxing for the win?
While VM sounds like a feasible solution, you have to assume your cloud account won't also be targeted - which it will be.  A toss-away VM only works if the data you need to work with is not under threat of compromise, too.  That said, this is where Tor comes in and while the networks have long been hit with negative press due to the "dark net", Tor could be the answer to keeping activists safe.  

In addition to the problems above you need to realize that not all activists are tech-savvy.  A critical component of any activist group should be a hacktivist who can guide users to safer computing practices and to head off attacks (either through offensive tactics, or diversion through social hacks) like those detailed in the article.    
Jason Echols
50%
50%
Jason Echols,
User Rank: Apprentice
1/26/2016 | 10:38:11 AM
Sandboxing for the win?
If you knew you were being directly targeted by a powerful state actor, I wonder if it would be feasible to run from a virtual OS/App environment like VirtualBox that you started fresh daily? Cloud services could keep your files synced as most of these attacks seem to be aimed at the OS or apps. It's more work, but may be worth it to avoid tracking/jail for these folks.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/25/2016 | 11:21:04 PM
Sophistication in Big Brother's (or Comrade's) Evolution
I was just reading the press release from Palo Alto Networks on this story.  This is a good case study in combative hacking techniques that can be used both for good and bad (depending on your POV) group monitoring activities.  The use of bait that is well-researched and targeted in content demonstrates the care that has gone into the development of this system.

Malware Tracker, Kaspersky - many others - have great data on Tran Duy Linh and it's worth the time to read the history there.  I look forward to reading the full length papers on this from PAN soon.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .