Scarlet Mimic: Dig Deeper with Unit 42

Posted by Fuel HQ on Mar 31, 2016 6:00:00 AM


Last month, the Palo Alto Networks threat research team, Unit 42, sat down with Fuel for a Q&A webinar on the notorious "Scarlet Mimic" campaign. This series of attacks, targeting human rights activitists, as well as orgnaizations with knowledge about these groups, proved to be a long-standing, highly-complex cyberespionage campaign.

Dig deeper with Unit 42 as they answer even more of your questions about this campaign, including how long it took to plan this kind of attack and why organizations may have been so succeptible. 

If you missed the webinar, log in and check out the recording in the resource center. Not a Fuel member? Join today for free to access this and other resources. 


You mentioned during the webcast that this appears to be a well-funded, organized, and long term effort. How long do you think it takes to plan this kind of attack before any efforts are launched?

Our data points don’t give us the level of detail we’d need to make an accurate assessment on how long it takes them to plan an attack. However, Scarlet Mimic does use timely lures often taken directly from news sites or sites frequented by their targets, or sometimes compromise those sites themselves to serve malware. The malware compile times post the TrendMicro paper in 2013 that first publicly discussed this activity roughly average every two months – though that is not exact. In one case, the decoy document was from a news story published thesame day as the attack. As the group relies largely on older vulnerabilities or self-extracting (SFX) RAR archivesthat use the Right-to-Left Override character to mask the true file extension, it’s possible the malware development cycle is somewhat independent of when attacks are launched, in favor of timely lures that give the actors a higher likelihood their victims open the malicious file.


The individuals responsible for these attacks used several different attack techniques, including spear phishing, which is similar to the approach used in the Lotus Blossom campaign that was uncovered in June 2015. Why do you think this type of attack is so common?

It’s so common because it is easy and it works. Spear phishing is one of the most common attack vectors across not only APT campaigns but also crimeware and ransomware. It can be the easiest way into a network or desired user system without additional technical requirements outside the malware (which in some cases can be bought online or freely downloaded). For example, it’s much easier if I want illegal access to your network or system to send you a malicious attachment or link via email and hope you click it (or that at least someone in your organization does) than to try to hack either your system or the network directly. Even if the spear phish is detected it likely will just be deleted without further action.  But if I’m caught hacking into your system or network, that ensures a reaction from a security team that will look for malware and other illegal access or credential abuse. Attempting to hack in also leaves me as the attacker vulnerable to the possibility of a host of other perimeter and defense-in-depth defenses spear phishing does not. Spear phishing is easy and low risk to the attacker.


A lot of the successful attacks in this campaign are from well-known malware and exploits; why are organizations still so susceptible to known threats?

Because, for a variety of reasons, not all organizations, or individuals, are running fully patched systems or have large budgets, or any budget, for IT. Even if the system is patched and has other security in place, as we noted in the blog Scarlet Mimic has used self-extracting (SFX) RAR archives that use the Right-To-Left Override character to mask the true file extension – so the victim might think they’re opening a Microsoft Word document but are in fact opening an executable file. That’s why there is such focus on user awareness and training surrounding suspicion of unsolicited, unexpected, or an email that just doesn’t seem “right”. It’s better to take the extra few minutes to investigate the email or forward the attachment to a security team – or if you don’t have a security team upload to a free service such as VirusTotal and see if it’s deemed malicious. It’s not 100% accurate, but it helps. The best approach would be fully patched systems and a security device ecosystem such as what our products afford. I hope as the press around this grows, and the knowledge of the populace in general about these type of threats grows, it’ll force malicious actors to work harder. Zero days aren’t most companies’ or people’s greatest threat – it’s opening malicious documents or clicking malicious links sent via spear phishing.


What can Fuel members learn from the Scarlet Mimic investigation that they should apply to their own organizations?

The awareness they need security in place to mitigate malicious emails to stop them getting through to users, and if they do get through to have other security in place that can detect and stop malicious activity. Our product ecosystem is a great example of this.

Have another question? Post it in the Discussion Forums. Not a Fuel member? Join today.

Topics: Integration,, Fuel Webcast

Posts by Topic

see all

Subscribe to Blog Updates

Recent Posts

Posts by Topic

see all