15 August 2022

China-linked hackers caught backdooring chat app with malware


China-linked hackers caught backdooring chat app with malware

A China-linked hackers have been using a trojanized cross-platform instant messenger application focused on the Chinese market known as 'MiMi,' to deliver versions of the HyperBro and rshell backdoors to infected users.

The campaign was spotted by researchers at cybersecurity companies Sekoia and Trend Micro, who released two separate reports detailing their findings.

According to Sekoia’s Threat & Detection Research Team, the weaponized MiMi’s MacOS version has been in circulation since May 26 and was designed to download and execute a Mach-O binary dubbed “rshell.” At the same time, Trend Micro noted that the threat actor behind this campaign (tracked as Lucky Mouse, Emissary Panda, APT27, and Bronze Union), had the servers hosting the app installers of MiMi under their control, suggesting a supple chain attack. Besides rshell, MiMi chat installers have been used to download HyperBro samples for the Windows platform.

Rshell implements functions typical of similar backdoors and is able to collect OS information and send it to an attackers’ server, receive commands, as well as send command execution results back to command and control server.

Trend Micro researchers said they found multiple samples of rshell, with some of them in the Mach-O format (macOS platform), while others were in the ELF format (Linux platform). The oldest discovered sample was uploaded in June 2021, with the first victim reported in mid-July 2021.

“We confirmed that both the legitimate and the malicious versions of the chat installer were unsigned, which means the users of MiMi chat were probably used to all these extra steps to finally install the application despite all the macOS watchguards,” the report reads.

The researchers said they identified 13 different victims in Taiwan and the Philippines targeted in the observed campaign, including a Taiwanese gaming development company.


Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024