A pair of reports from cybersecurity firms SEKOIA[1]
and Trend Micro[2]
sheds light on a new campaign undertaken by a Chinese threat actor
named Lucky Mouse that involves leveraging a trojanized
version of a cross-platform messaging app to backdoor systems.
Infection chains leverage a chat application called MiMi, with
its installer files compromised to download and install HyperBro
samples for the Windows operating system and rshell artifacts for
Linux and macOS.
As many as 13 different entities located in Taiwan and the
Philippines have been at the receiving end of the attacks, eight of
whom have been hit with rshell. The first victim of rshell was
reported in mid-July 2021.
Lucky Mouse, also called APT27[3], Bronze Union, Emissary
Panda, and Iron Tiger, is known to be active since 2013 and has a
history of gaining access to targeted networks in pursuit of its
political and military intelligence-collection objectives aligned
with China.
The advanced persistent threat actor (APT) is also adept at
exfiltrating high-value information using a wide range of custom
implants such as SysUpdate[4], HyperBro[5], and PlugX[6].
The latest development is significant, not least because it
marks the threat actor’s introductory attempt at targeting macOS
alongside Windows and Linux.
The campaign has all the hallmarks of a supply chain attack[7]
in that the backend servers hosting the app installers of MiMi are
controlled by Lucky Mouse, thus making it possible to tweak the app
to retrieve the backdoors from a remote server.
This is borne out by the fact that the app’s macOS version 2.3.0
was tampered to insert the malicious JavaScript code on May 26,
2022. While this may have been the first compromised macOS variant,
versions 2.2.0 and 2.2.1 built for Windows have been found to
incorporate similar additions as early as November 23, 2021.
rshell, for its part, is a standard backdoor that comes with all
the usual bells-and-whistles, allowing for the execution of
arbitrary commands received from a command-and-control (C2) server
and transmitting the results of the execution back to the
server.
It’s not immediately clear if MiMi is a legitimate chat program,
or if it was “designed or repurposed as a surveillance tool,”
although the app has been used by another Chinese-speaking actor
dubbed Earth Berberoka[8]
(aka GamblingPuppet) aimed at online gambling sites – once again
indicative of the prevalent tool sharing among Chinese APT
groups.
The operation’s connections to Lucky Mouse stems from links to
instructure previously identified as used by the China-nexus
intrusion set and the deployment of HyperBro, a backdoor
exclusively put to use by the hacker group.
As SEKOIA points out, this is not the first time the adversary
has resorted to utilizing a messaging app as a jumping-off point in
its attacks. In late 2020, ESET disclosed[9]
that a popular chat software called Able Desktop was abused to
deliver HyperBro, PlugX, and a remote access trojan called Tmanger
targeting Mongolia.
References
- ^
SEKOIA
(blog.sekoia.io) - ^
Trend
Micro (www.trendmicro.com) - ^
APT27
(malpedia.caad.fkie.fraunhofer.de) - ^
SysUpdate
(thehackernews.com) - ^
HyperBro
(malpedia.caad.fkie.fraunhofer.de) - ^
PlugX
(thehackernews.com) - ^
supply
chain attack (www.trendmicro.com) - ^
Earth
Berberoka (www.trendmicro.com) - ^
disclosed
(thehackernews.com)
Read more https://thehackernews.com/2022/08/chinese-hackers-backdoored-mimi-chat.html