Researchers believe a single group is responsible for a series of attacks over the years to spy on Tibetan and Uyghur activists. For four years the group has used a cornucopia of spearphishing emails, a watering hole attack, and a backdoor Trojan to carry out espionage.
Dubbed Scarlet Mimic, the attacks are primarily spread through phishing emails, according to researchers at Palo Alto Networks who described the campaign on Sunday.
The firm, which analyzed attacks related to the campaign over the past seven months, believes that attackers primarily use the attacks to prey on minority activists.
The groups, many which live in oppressed nations, or in exile, have remained a constant target for attackers. Over the past couple of years researchers with Kaspersky Lab, the Citizen Lab at the Munk School of Global Affairs at the University of Toronto, and Northeastern University, working with National University of Singapore, have all published reports on how the groups – the Uyghurs, a Turkic Muslim minority living in China and Kazakhstan especially – have found themselves in the crosshairs of attackers.
Palo Alto’s report acknowledges the longstanding tension between Uyghur activists and China, but couldn’t outright connect the People’s Republic of China (PRC) with the attacks.
Through Scarlet Mimic, after victims open an email and a corresponding attachment, the document exploits a Microsoft Office vulnerability that installs a backdoor Trojan on their system.
Victims are none the wiser, and according to the researchers, usually see decoy documents after they’ve opened the malicious document to trick them into thinking everything is fine. Palo Alto claims that while the decoy documents are “typically not well crafted,” they do revolve around timely themes – including Uyghur relations, Al-Qaeda happenings, or Russian President Vladimir Putin – that get the victim to open them.
The crux of the attack is based around a backdoor, FakeM, that’s been known about since 2013. As malware is wont to do over the course of four years, the Trojan has undergone a smattering of changes, including new methods to evade detection, since its inception.
The gist of the Trojan remains about the same however. It features a keylogger that can gather sensitive files, along with other commands attackers can run to steal passwords, screencaps, and upload files.
Researchers claim that it appears the Scarlet Mimic attackers only broke protocol once, and instead of phishing emails, staged a watering hole attack. Back in 2013 they compromised the website of the Tibetan Alliance of Chicago to host malicious code via an old Internet Explorer bug, but that effort appears to be an anomaly.
According to Robert Falcone and Jen Miller-Osborn, researchers with the firm, the most recent attacks carried out by the group last year indicate that Scarlet Mimic remains interested in activist groups.
“The most recent Scarlet Mimic attacks we have identified were conducted in 2015 and suggest the group has a significant interest in both Muslim activists and those interested in critiques of the Russian government and Russian President Vladimir Putin. Based on their previous targets we suspect these individuals may be targeted based on the information they posses on activist groups,” Falcone and Miller-Osborn said.