Security News > 2022 > August > Chinese Hackers Backdoored MiMi Chat App to Target Windows, Linux, macOS Users
A pair of reports from cybersecurity firms SEKOIA and Trend Micro sheds light on a new campaign undertaken by a Chinese threat actor named Lucky Mouse that involves leveraging a trojanized version of a cross-platform messaging app to backdoor systems.
Infection chains leverage a chat application called MiMi, with its installer files compromised to download and install HyperBro samples for the Windows operating system and rshell artifacts for Linux and macOS. As many as 13 different entities located in Taiwan and the Philippines have been at the receiving end of the attacks, eight of whom have been hit with rshell.
The advanced persistent threat actor is also adept at exfiltrating high-value information using a wide range of custom implants such as SysUpdate, HyperBro, and PlugX. The latest development is significant, not least because it marks the threat actor's introductory attempt at targeting macOS alongside Windows and Linux.
The campaign has all the hallmarks of a supply chain attack in that the backend servers hosting the app installers of MiMi are controlled by Lucky Mouse, thus making it possible to tweak the app to retrieve the backdoors from a remote server.
It's not immediately clear if MiMi is a legitimate chat program, or if it was "Designed or repurposed as a surveillance tool," although the app has been used by another Chinese-speaking actor dubbed Earth Berberoka aimed at online gambling sites - once again indicative of the prevalent tool sharing among Chinese APT groups.
In late 2020, ESET disclosed that a popular chat software called Able Desktop was abused to deliver HyperBro, PlugX, and a remote access trojan called Tmanger targeting Mongolia.
News URL
https://thehackernews.com/2022/08/chinese-hackers-backdoored-mimi-chat.html
Related news
- Lazarus hackers exploited Windows zero-day to gain Kernel privileges (source)
- Chinese Hackers Exploiting Ivanti VPN Flaws to Deploy New Malware (source)
- Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks (source)
- Hackers steal Windows NTLM authentication hashes in phishing attacks (source)
- Chinese State Hackers Target Tibetans with Supply Chain, Watering Hole Attacks (source)
- Magnet Goblin hackers use 1-day flaws to drop custom Linux malware (source)
- Hackers leverage 1-day vulnerabilities to deliver custom Linux malware (source)
- Hackers abuse Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- Week in review: Cybersecurity job openings, hackers use 1-day flaws to drop custom Linux malware (source)