15 August 2022

China-linked hackers caught backdooring chat app with malware


China-linked hackers caught backdooring chat app with malware

A China-linked hackers have been using a trojanized cross-platform instant messenger application focused on the Chinese market known as 'MiMi,' to deliver versions of the HyperBro and rshell backdoors to infected users.

The campaign was spotted by researchers at cybersecurity companies Sekoia and Trend Micro, who released two separate reports detailing their findings.

According to Sekoia’s Threat & Detection Research Team, the weaponized MiMi’s MacOS version has been in circulation since May 26 and was designed to download and execute a Mach-O binary dubbed “rshell.” At the same time, Trend Micro noted that the threat actor behind this campaign (tracked as Lucky Mouse, Emissary Panda, APT27, and Bronze Union), had the servers hosting the app installers of MiMi under their control, suggesting a supple chain attack. Besides rshell, MiMi chat installers have been used to download HyperBro samples for the Windows platform.

Rshell implements functions typical of similar backdoors and is able to collect OS information and send it to an attackers’ server, receive commands, as well as send command execution results back to command and control server.

Trend Micro researchers said they found multiple samples of rshell, with some of them in the Mach-O format (macOS platform), while others were in the ELF format (Linux platform). The oldest discovered sample was uploaded in June 2021, with the first victim reported in mid-July 2021.

“We confirmed that both the legitimate and the malicious versions of the chat installer were unsigned, which means the users of MiMi chat were probably used to all these extra steps to finally install the application despite all the macOS watchguards,” the report reads.

The researchers said they identified 13 different victims in Taiwan and the Philippines targeted in the observed campaign, including a Taiwanese gaming development company.


Back to the list

Latest Posts

Cyber security week in review: September 23, 2022

Cyber security week in review: September 23, 2022

The world in brief: Cryptomarket maker Wintermute robbed of $160M in a hack, old Python bug potentially affects 350,000 open-source projects, and more.
23 September 2022
Unpatched 15-year-old Python vulnerability puts at risk over 350,000 open-source projects

Unpatched 15-year-old Python vulnerability puts at risk over 350,000 open-source projects

The vulnerable Python tarfile module is found extensively in frameworks created by Netflix, AWS, Intel, Facebook, Google and other software.
22 September 2022
Malicious actors continue to abuse Google Tag Manager tool to install e-skimmers

Malicious actors continue to abuse Google Tag Manager tool to install e-skimmers

The researchers said they discovered three variants of malicious scripts hidden within GTM containers that function either as e-skimmers or as downloaders for installing e-skimmers.
21 September 2022