ScarletCitizen: Defense Through Indirect Sharing

Earlier today, the Citizen Lab released a blog post outlining a technical shift in the tactics used by the Scarlet Mimic threat actor. Scarlet Mimic (SM) was first reported on by Palo Alto Networks in January, and the Citizen Lab report provides additional context on the actors, and their targets.

The researchers report that SM has repurposed parts of their malware command and control infrastructure to serve phishing attacks that mimic popular online providers, like Google. Although they leave open the possibility that malware attacks continue using unreported infrastructure, this is a change from SM’s previously-documented preference for attachment-based malware (combined with easily-available exploits). Finally, we can't rule out that converting burned or low-utility command and control servers to phishing might also represent a kind of down-cycling of infrastructure, before it is discarded. Phishing, in other words, may be the last stop before domains are finally given up.

In this post we use indicators from these two reports as starting points to surface additional SM infrastructure, and link it to previously-reported findings. This highlights how infrastructure analysis coupled with Open Source Intelligence (OSINT) can link and attribute the disparate indicators generated by threat actors like SM.

Sensitive Targets

Before diving into the infrastructure, it’s important to understand the sensitive nature of the attacks the Citizen Lab chooses to expose. Unlike most attacks, which are motivated by financial gain or focused on theft of intellectual property, those targeting civil society are focused on the people at the other end of the keyboard. Compromising their accounts, machines or mobile devices means the actors can track, intercept, detain or even physically harm those whom they have successfully targeted.

Combating attacks by these actors becomes more difficult as their targets are often part of groups with limited resources and security support. These groups often compute outside of managed environments, and thus each individual is responsible for security choices that can affect everyone whom they work with.

The Citizen Lab provides a valuable service to civil society by exposing attacks, bringing attention to them and working with groups in order to detail their tools, tactics and infrastructure. In addition, Lab researchers can serve as a resource if you suspect a civil society group or activist organization may be among the targets you are looking at. If you are a reverse engineer, researcher or just interested in how you could help, consider contacting info@citizenlab.org.

Infrastructure Chaining

Scarlet Mimic’s heavy reliance on dynamic DNS domains makes their infrastructure challenging to track. Analysts often find it challenging to link specific IP addresses and other dynamic DNS domains: anyone can register them, often for limited periods of time. Unless you know the exact time period, it can be difficult to separate signal from noise. Fortunately, there’s a substantial amount of information detailing these actors conducting attacks dating back to 2013.

In surfacing related infrastructure, we choose to list domains or IP addresses that had at least two different known dynamic DNS domains used in a malicious attack. Within PassiveTotal, we used passive DNS to find overlaps and new infrastructure, WHOIS to surface more dynamic DNS providers and passive SSL to follow groupings of server infrastructure. Using these chaining techniques, we were able to identify the following infrastructure:

  • updata.firewall-gateway.com
  • docs.servepics.com
  • tally.myfirewall.org
  • jdk.spdns.eu
  • extension.spdns.org
  • creatnimei.dyndns-wiki.com
  • fnvaworld.dnsget.org
  • webmail.myfirewall.org
  • sys.zonedell.com
  • zuni.spdns.org
  • kaspersky.sytes.net
  • account-help.firewall-gateway.com
  • 109.169.86.6
  • 78.129.156.218
  • 95.154.204.207

Many of these domains and IP addresses have either been mentioned in previous open source reporting, have known malware associated with them, or show up within the attack timeframes. The above indicators have been added to the PassiveTotal OSINT repository and will now show up when conducting searches within the platform.

Indirect Collaboration

It’s often said that more sharing needs to take place in our industry. Its also said that trust issues make deep sharing almost impossible. While these statements may be true, we find that open source reporting (blogs, papers, indicator dumps, etc.) layered over contextual datasets, produces sharing in indirect ways. During our analysis of the information Citizen Lab reported on, we saw connections and reporting overlap from Palo Alto Networks, Cylance, Trend Micro and even previous works from the Citizen Lab. These groups may not have realized it, but by displaying all their work in one central location, they were able to surface nearly all of the infrastructure related to these threat actors.

We view this concept of indirect sharing as pretty powerful, and let it guide us to some feature changes within PassiveTotal. For the past several months, we have associated tags to OSINT data which you will often see when pivoting around within the platform. After seeing the power of indirect sharing, we went a step further and decided to push classifications based on OSINT data down to each indicator. So, not only will you see the tags, but you will also get a color classification signifying the indicator you are viewing is malicious, suspicious or non-malicious. Naturally, we recognize that not everyone will agree with open source reporting, so users can easily override what is shown by default or turn off OSINT as a source altogether.

Final Thoughts

The ability to quickly pivot from the indicators in the Citizen Lab and Palo Alto reports to new indicators demonstrates the value of the PassiveTotal platform. infrastructure chaining techniques, users can click from data point to data point in order to build a complete picture of an actor’s command and control infrastructure. Bringing in a number of datasets into one location, combined with open source intelligence, and RiskIQ’s research team, makes it easier to identify and track threat actors. shows that identifying a threat actor doesn’t have to be difficult.