SEKOIA and Trend Micro specialists published reports on the activity of the Chinese hack group APT27 (aka Emissary Panda, Iron Tiger, and LuckyMouse) and said that hackers introduced a backdoor into the MiMi messenger.
The attackers have created a cross-platform malicious version of the Chinese messenger MiMi (秘密, “secret” in Chinese), and use it to attack Windows, Linux, and macOS users.
Let me remind you that we also wrote that Chinese Hackers Use Ransomware As a Cover for Espionage, and also that Chinese hackers use Zimbra 0-day vulnerability to hack European media and authorities.
So, SEKOIA researchers write that MiMi for macOS version 2.3.0 was hacked almost four months ago, on May 26, 2022. The compromise was discovered during the analysis of the infrastructure of the HyperBro remote access trojan associated with APT27: the malware contacted the application, which seemed suspicious to the experts.
Trend Micro analysts have also noticed this campaign (independently of their colleagues) and now report that they have identified old trojanized versions of MiMi targeting Linux (rshell backdoor) and Windows (RAT HyperBro).
At the same time, the oldest sample of rshell for Linux is dated June 2021, and the first victim of this campaign became known back in mid-July 2021. In total, at least 13 different organizations in Taiwan and the Philippines were attacked, of which eight were affected by shell.
Experts say that in the case of macOS, the malicious JavaScript code injected into MiMi checks if the app is running on the Mac and then downloads and runs the rshell backdoor. After launch, the malware collects and sends system information to its operators and waits for further commands.
Hackers can use the malware to list files and folders and read, write, and download files on compromised systems. In addition, the backdoor can steal data and send specific files to its control server.
According to experts, the connection of this campaign with APT27 is obvious. Thus, the cybercriminals’ infrastructure uses a range of IP addresses already known to information security specialists. In addition, similar campaigns have already been observed before. For example, a backdoor was introduced into the Able Desktop messenger (Operation StealthyTrident), and malicious code was packaged using the already known tool associated with APT27.
It is worth emphasizing that it is impossible to say that we are discussing an attack on the supply chain. The fact is that according to Trend Micro, hackers control the servers hosting the MiMi installers, and experts suggest that they are dealing with a compromise of a legitimate and not too popular messenger targeted at the Chinese audience.
In turn, SEKOIA analysts say that MiMi looks very suspicious: the site associated with the messenger (www.mmimchat[.]com) does not contain a detailed description of the application, terms of use and links to social networks. Check of the legitimacy of the developer company Xiamen Baiquan Information Technology Co. Ltd. also failed. As a result, SEKOIA experts write that hackers could have developed the messenger, which is initially a malicious tool for tracking specific targets.”