A China-linked hackers have been using a trojanized cross-platform instant messenger application focused on the Chinese market known as 'MiMi,' to deliver versions of the HyperBro and rshell backdoors to infected users.
According to Sekoia’s Threat & Detection Research Team, the weaponized MiMi’s MacOS version has been in circulation since May 26 and was designed to download and execute a Mach-O binary dubbed “rshell.” At the same time, Trend Micro noted that the threat actor behind this campaign (tracked as Lucky Mouse, Emissary Panda, APT27, and Bronze Union), had the servers hosting the app installers of MiMi under their control, suggesting a supple chain attack. Besides rshell, MiMi chat installers have been used to download HyperBro samples for the Windows platform.
Rshell implements functions typical of similar backdoors and is able to collect OS information and send it to an attackers’ server, receive commands, as well as send command execution results back to command and control server.
Trend Micro researchers said they found multiple samples of rshell, with some of them in the Mach-O format (macOS platform), while others were in the ELF format (Linux platform). The oldest discovered sample was uploaded in June 2021, with the first victim reported in mid-July 2021.
“We confirmed that both the legitimate and the malicious versions of the chat installer were unsigned, which means the users of MiMi chat were probably used to all these extra steps to finally install the application despite all the macOS watchguards,” the report reads.
The researchers said they identified 13 different victims in Taiwan and the Philippines targeted in the observed campaign, including a Taiwanese gaming development company.