Specialists from SEKOIA and Trend Micro have published reports on the activity of the Chinese hack group APT27 (aka Emissary Panda, Iron Tiger and LuckyMouse). It turned out that the attackers created a cross-platform malicious version of the Chinese messenger MiMi (秘密, “secret” in Chinese), and with its help they attack users of Windows, Linux and macOS.
So, researchers from SEKOIA write that MiMi for macOS version 2.3.0 was hacked almost four months ago, on May 26, 2022. The compromise was discovered during the analysis of the infrastructure of the HyperBro remote access trojan associated with APT27: the malware contacted the application, which seemed suspicious to the experts.
TrendMicro analysts have also noticed this campaign (independently of their colleagues) and now report that they have identified old trojanized versions of MiMi targeting Linux (rshell backdoor) and Windows (RAT HyperBro).
At the same time, the oldest sample of rshell for Linux is dated June 2021, and the first victim of this campaign became known back in mid-July 2021. In total, at least 13 different organizations in Taiwan and the Philippines were attacked, of which 8 were affected by rshell.
Experts say that in the case of MacOS, the malicious JavaScript code injected into MiMi checks if the app is running on the Mac and then downloads and runs the rshell backdoor. After launch, the malware collects and sends system information to its operators and waits for further commands.
Hackers can use the malware to list files and folders and read, write, and download files on compromised systems. In addition, the backdoor is able to steal data and send specific files to its control server.
According to experts, the connection of this campaign with APT27 is obvious. Thus, the cybercriminals’ infrastructure uses a range of IP addresses already known to information security specialists. In addition, similar campaigns have already been observed before, for example, a backdoor was introduced into the Able Desktop messenger (operational StealthyTrident) and the packaging of the malicious code was carried out using the already known tool associated with APT27.
It is worth noting separately that it is impossible to say with certainty that we are talking about an attack on the supply chain. The fact is that according to Trend Micro, hackers are clearly in control of the servers hosting the MiMi installers, and experts suggest that they are dealing with a compromise of a legitimate and not too popular messenger targeted at the Chinese audience.
In turn, SEKOIA analysts say that MiMi looks very suspicious: the site associated with the messenger (www.mmimchat[.]com) does not contain a detailed description of the application, terms of use and links to social networks. Check the legitimacy of the developer company Xiamen Baiquan Information Technology Co. Ltd. also failed. As a result, SEKOIA experts write that the messenger itself could have been developed by hackers themselves, and it is initially a malicious tool for tracking specific targets.