G0029 Scarlet Mimic

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. ¹

Item	Value
ID	G0029
Associated Names
Version	1.2
Created	31 May 2017
Last Modified	30 March 2020
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1036	Masquerading	-
enterprise	T1036.002	Right-to-Left Override	Scarlet Mimic has used the left-to-right override character in self-extracting RAR archive spearphishing attachment file names.¹

Software

ID	Name	References	Techniques
S0077	CallMe	¹	Unix Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Ingress Tool Transfer
S0076	FakeM	¹	Protocol Impersonation:Data Obfuscation Symmetric Cryptography:Encrypted Channel Keylogging:Input Capture Non-Application Layer Protocol
S0079	MobileOrder	¹	Browser Information Discovery Data from Local System Exfiltration Over C2 Channel File and Directory Discovery Ingress Tool Transfer Process Discovery System Information Discovery
S0078	Psylo	¹	Web Protocols:Application Layer Protocol Exfiltration Over C2 Channel File and Directory Discovery Timestomp:Indicator Removal Ingress Tool Transfer

References

Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. ↩↩↩↩↩↩