Chinese hackers backdoor chat app with new Linux, macOS malware

guest · Aug 12, 2022

August 12, 2022

Versions of a cross-platform instant messenger application focused on the Chinese market known as 'MiMi' have been trojanized to deliver a new backdoor (dubbed rshell) that can be used to steal data from Linux and macOS systems.

SEKOIA's Threat & Detection Research Team says that the app's macOS 2.3.0 version has been backdoored for almost four months, since May 26, 2022.
Click to expand...

They discovered this after noticing unusual connections to this app while analyzing command-and-control (C2) infrastructure for the HyperBro remote access trojan (RAT) malware linked to the APT27 Chinese-backed threat group.

TrendMicro also reported detecting the same campaign and said it found old trojanized versions of MiMi targeting Linux (with rshell) and Windows (with HyperBro), with the oldest Linux rshell sample in June 2021 and the first victim being reported back in mid-July 2021.
Click to expand...

The malware was linked to APT27 based on overlapping infrastructure using the same IP address range and common tactics (backdooring Able Desktop messaging app in Operation StealthyTrident and packing malicious code with the Dean Edwards Javascript packer).

"At this stage, SEKOIA is not able to assess the objective of this campaign. As this application’s use in China appears low, it is plausible it was developed as a targeted surveillance tool," the researchers said.
Click to expand...

Also targeting Zoho and Exchange servers
APT27 (aka Emissary Panda, Iron Tiger, and LuckyMouse) is a Chinese-backed threat group active for over a decade (since at least 2010) and known for its focus on cyber espionage and information theft campaigns.
Click to expand...

SEKOIA: LuckyMouse uses a backdoored Electron app to target MacOS

This blog post on LuckyMouse is an extract of the “FLINT 2022-045 – LuckyMouse uses a backdoored Electron app to target MacOS” report (SEKOIA.IO Flash Intelligence) sent to our clients on August 10, 2022.
Click to expand...

Trend Micro: Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users

We found APT group Iron Tiger's malware compromising chat application Mimi’s servers in a supply chain attack.
Click to expand...

Rasheed187 · Aug 15, 2022

That's why I keep saying that all apps should be monitored, even the trusted ones. Seems to be a classic supply chain attack, this stuff is quite scary, because it's often difficult to protect against this stuff. Another reason why HIPS/behavior blockers can be quite useful, because they may alert about unusual behavior of trusted apps.

Log in or Sign up

Chinese hackers backdoor chat app with new Linux, macOS malware

guest Guest

Rasheed187 Registered Member

Log in or Sign up

Chinese hackers backdoor chat app with new Linux, macOS malware

guest Guest

Rasheed187 Registered Member

Useful Searches