Scarlet Mimic

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Scarlet Mimic is a threat actor that has been active since at least 2009, deploying increasingly advanced malware to execute attacks primarily through spear-phishing and watering holes. The group's attacks center around the use of a Windows backdoor named "FakeM," first described by Trend Micro in 2013. FakeM mimics command and control traffic from Windows Messenger and Yahoo, effectively camouflaging its malicious activities. Scarlet Mimic has also used a variety of loader Trojans to execute FakeM and has deployed Trojans targeting Mac OS X and Android operating systems, indicating an ability to attack multiple platforms. In July 2015, Scarlet Mimic notably delivered a spear-phishing email to a branch of the Russian government with the intent of installing a payload undetected by any antivirus vendors on VirusTotal. On January 12, 2016, cybersecurity firm Cylance linked an exploit document to the group Mandiant refers to as APT2 and CrowdStrike as "Putter Panda." While some overlap between IP addresses used in attacks from this group and those of Scarlet Mimic was observed, it was not concluded that these groups are identical. Based on analysis, it is evident that Scarlet Mimic has begun to expand its espionage efforts from PCs to mobile devices, marking a significant evolution in its tactics. This connection between FakeM, Psylo, and MobileOrder suggests a broader scope for their operations. The group also uses the infamous HTRAN tool on at least some of their Command & Control (C2) servers. Despite a well-established pattern of spear-phishing, there has been at least one instance where Scarlet Mimic deviated from this method, suggesting potential unpredictability in their strategies.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Windows
exploited
Malware
Android
Phishing
Exploit
Loader
Payload
Decoy
Antivirus
Espionage
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FakeMUnspecified
1
FakeM is a malware family first exposed in 2013 by Trend Micro, named for its command and control traffic mimicking Windows Messenger and Yahoo. The malware primarily operates as a Windows backdoor, used extensively by the cyber-espionage group, Scarlet Mimic. Since its exposure, FakeM has undergone
MobileOrderUnspecified
1
MobileOrder is a sophisticated piece of malware designed to exploit mobile devices. It operates by registering itself as a device administrator, thus preventing users from simply uninstalling it through regular settings. MobileOrder communicates with its command and control (C2) server over TCP port
PsyloUnspecified
1
Psylo is a new, previously unreported Trojan malware discovered by Unit 42 during an infrastructure analysis of FakeM Custom SSL variants. The malware was named after the anagram 'hnxlopsyxt', which is the mutex created when initially running the payload. Psylo has been found to have overlaps with F
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Putter PandaUnspecified
1
None
APT2Unspecified
1
APT2, suspected to be affiliated with China, is a threat actor known for its cyber operations targeting the military and aerospace sectors. The primary objective of APT2's activities is intellectual property theft, focusing on data and projects that give an organization a competitive edge within its
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Scarlet Mimic Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists