A group dubbed “Scarlet Mimic” is behind attacks against minority rights activists that began more than four years ago, although they’ve shifted both their tactics and the malware used, the Palo Alto Networks Unit 42 researchers who have tracked the attacks for seven months said in a blog post.
While the researchers were unable to link the attacks to a particular source, “the information derived from these activities supports an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relations to these targets is involved,” researchers wrote in the blog post. The targets of the attacks are primarily Uyghur and Tibetan activists and some attacks also have been launched against government organizations in Russia and India.
“This group was most likely tasked by a government organization to gather data on these activists by whatever means possible Ryan Olson, Unit 42’s director of threat intelligence, told SCMagazine.com.
Olson said that a Unit 42 researcher who was examining malware samples last June spotted variants of a Windows backdoor called “FakeM,” whose command and control traffic avoids detection by mimicking both Windows Messenger and Yahoo!Messenger traffic, and which was identified by Trend Micro in a 2013 paper. Researchers quickly realized that Scarlet Mimic had created the variants and was using them, as well as trojans aimed at the Android operating system and Mac OS X, to execute spear-phishing and watering hole attacks to gather information on the activists.
“When they were discovered by Trend Micro in 2013, they sort of died off after that,” Olson said. “They dropped infrastructure and all the malware” they were using and had to retool, costing them time and money – the same results that Unit 42 wants to provoke this time.
The group also changed tactics in the years since their activities were first uncovered, broadening its targets from just the activists to “suddenly now targeting .orgs tracking activists that might have better data on them,” Olson said.
The researchers said, the group has exploited five different software vulnerabilities to launch spearfishing attacks. The group didn’t use zero days, Olson explained, but rather “exploited older vulnerabilities in systems that didn’t get fully patched.” Scarlet Mimic doesn’t always rely on exploiting vulnerabilities, the group also uses “self-extracting (SFX) RAR archives that use the Right-to-Left Override character to mask the true file extension, tricking victims into opening executable files,” the researchers wrote.
And the Trojans aimed at Mac and Android gather location information, effectively letting the group turn phones into tracking devices. The threat from Scarlet Mimic “is pretty specific in this case – someone who doesn’t have relationship with activists won’t be targeted,” said Olson, adding that his “mom should not be worried but lots of people should be concerned. “The shift to target government organizations changes things” and might pose a threat to others, such as a college professor who was recently a victim, who might research activists “during the course of their work.”
Olson recommended that organizations and users keep patches for their systems up to date and, of course, avoid clicking on unknown or unfamiliar links. He noted that by publishing such an extensive account of Unit 42’s findings, Scarlet Mimic will likely go to ground while it regroups and retools its attacks and tactics. “The downside is we’re losing our insight into them,” he said. “But we know we’ll pick them up again.”