Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

06:00 PM
Connect Directly

'Scarlet Mimic' Hackers Snoop On Minority Activists In China

Weapon of choice is the FakeM Windows backdoor, but it's making moves to more platforms.

A four-year long cyber-attack campaign with the primary mission of gathering information about minority activist groups in China has been discovered by researchers at Palo Alto Network's Unit 42.

Palo Alto has been following the group, which they've dubbed Scarlet Mimic, for the past seven months. Targets were mainly social rights activists representing the Tibetan and Uyghur minorities in China, as well as government agenices in Russia and India. The most recent attacks took place in 2015, and according to researchers, show that Scarlet Mimic is interested in knowing more about the Muslim activists and people interested in critiques of the Russian government.

Researchers say there is no evidence linking Scarlet Mimic to a government source, but that it is "likely a well-funded and skillfully resourced cyber adversary," and that the group's motives are similar to the stated positions of the Chinese government.

Scarlet Mimic's main weapon of choice is FakeM, a shellcode-based Windows backdoor so named because its command-and-control traffic evades detection by mimicking Windows Messenger and Yahoo Messenger.

FakeM has been evolving with the help of Scarlet Mimic's developers, according to Palo Alto. Researchers discovered FakeM variants that use SSL to encrypt command-and-control communications; one variant even uses a customized SSL protocol that skips the traditional "client hello" SSL handshake.

Scarlet Mimic actively developed nine different loader families to deliver FakeM and is also expanding its attacks to more platforms. Palo Alto researchers discovered other tools sharing infrastructure with FakeM -- including the CallMe Trojan, built to exploit Mac OSX, and Psylo, a discovered shellcode-based uploader/downloader similar to FakeM that shares infrastructure with MobileOrder, a Trojan for compromising Android mobile devices. "The connection between FakeM, Psylo, and MobileOrder suggest that Scarlet Mimic is now expanding their espionage efforts from PCs to mobile devices, which marks a major shift in tactics," say researchers.

The group favors spearphishing, with heavy use of decoy documents, as well as watering hole attacks. Yet, it wasn't as sophisticated and hands-on when creating those malicious documents as it was creating its Trojans and payloads. Some of the malicious documents were created with the MNKit, WingD, and Tran Duy Linh toolkits, which are also used by other threat actors.

Decoy documents included a World Uyghur Congress press release, a graphic comparing Vladimir Putin to Adolph Hitler, and a New York Times article about Chinese police seizing the ashes of a Tibetan monk.

Sometimes the attackers trick targets into directly executing the payload, but they've also exploited five different vulnerabilities to extract information without authorization -- including a memory corruption bug in Excel, a system state corruption bug in Active X, a buffer overflow in PowerPoint, and stack-based buffer overflows in Microsoft Office and the CoolType DLL in Adobe Reader and Acrobat.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/28/2016 | 11:36:54 AM
Re: Sandboxing for the win?
While VM sounds like a feasible solution, you have to assume your cloud account won't also be targeted - which it will be.  A toss-away VM only works if the data you need to work with is not under threat of compromise, too.  That said, this is where Tor comes in and while the networks have long been hit with negative press due to the "dark net", Tor could be the answer to keeping activists safe.  

In addition to the problems above you need to realize that not all activists are tech-savvy.  A critical component of any activist group should be a hacktivist who can guide users to safer computing practices and to head off attacks (either through offensive tactics, or diversion through social hacks) like those detailed in the article.    
Jason Echols
Jason Echols,
User Rank: Apprentice
1/26/2016 | 10:38:11 AM
Sandboxing for the win?
If you knew you were being directly targeted by a powerful state actor, I wonder if it would be feasible to run from a virtual OS/App environment like VirtualBox that you started fresh daily? Cloud services could keep your files synced as most of these attacks seem to be aimed at the OS or apps. It's more work, but may be worth it to avoid tracking/jail for these folks.
User Rank: Ninja
1/25/2016 | 11:21:04 PM
Sophistication in Big Brother's (or Comrade's) Evolution
I was just reading the press release from Palo Alto Networks on this story.  This is a good case study in combative hacking techniques that can be used both for good and bad (depending on your POV) group monitoring activities.  The use of bait that is well-researched and targeted in content demonstrates the care that has gone into the development of this system.

Malware Tracker, Kaspersky - many others - have great data on Tran Duy Linh and it's worth the time to read the history there.  I look forward to reading the full length papers on this from PAN soon.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...