Scarlet Mimic Espionage Malware Campaign Targets Activists and Minorities like Uyghur and Tibet — The Campaign Also targets Indian and Russian government agencies.
Palo Alto Network’s Unit 42 researchers have been following the four-year-long espionage campaign quite intensely, which was instigated by a group of hackers dubbed as Scarlet Mimic by the research team.
As per their findings, this campaign was primarily geared for gathering data and information about Chinese minority activists groups.
For seven months, the team observed the maneuvers of Scarlet Mimic and has now come to the conclusion that the group was targeting social rights activists in China. These groups were representing Uyghur and Tibetan minorities in China. However, also, among the targets of this group were Indian and Russian government agencies.
Most recent attacks from this group took place in 2015 and as per the researchers, these latest feats suggest that Scarlet Mimic team is keen on knowing more about the people involved in critiquing Russian government and activities of Muslim activists.
The team at Palo Alto Networks also stated that they couldn’t find any link between Scarlet Mimic and any government source, however, it is “likely a well-funded and skillfully resourced cyber adversary,” and their motives are quite similar to Chinese government agendas.
The key weapon chosen by Scarlet Mimic is FakeM. It is a shellcode-based Windows backdoor that received its name because it’s C&C (command and control) traffic easily evades detection by mimicking Yahoo and Windows Messengers.
Scarlet Mimic group has been developing and evolving FakeM, states the Palo Alto research team. The team also discovered that FakeM variants utilize SSL encrypt C&C communications. One version even uses a fully customized SSL protocol, which can skip the conventional “client hello” handshake of SSL.
Nine distinct loader families were developed by Scarlet Mimic to distribute FakeM. The hacker group is also trying to expand the scope of its attacks by using other tools with FakeM such as CallMe Trojan and Psylo. CallMe exploits Max OSX while Psylo is similar to FakeM and shares infrastructure with another Trojan MobileOrder.
Palo Alto’s team suggests that,
“The connection between FakeM, Psylo, and MobileOrder suggest that Scarlet Mimic is now expanding their espionage efforts from PCs to mobile devices, which marks a major shift in tactics.”
Researchers also revealed that the attackers used the New York Time article to target the victims
The attacks also used press releases from World Uyghur Congress to target the activists and minorities.
Moreover, it was identified that the group prefers spearphishing and heavily relies upon decoy documents and watering hole attacks. But, it is also apparent that the group isn’t as much sophisticated in creating malicious documents as it is in developing Trojans and payloads. The group has created malicious documents using MNKit, Tran Duy Linh toolkits, and WingD.
Decoy document comprises of a graphic showing the similarities between Vladimir Putin and Adolph Hitler.
There much more on Palo Alto Network about this campaign, if you are interested in reading more click here.