SEKOIA and Trend Micro specialists published reports on the activity of the Chinese hack group APT27 (aka Emissary Panda, Iron Tiger and LuckyMouse) and said that hackers introduced a backdoor into the MiMi messenger.
The attackers have created a cross-platform malicious version of the Chinese messenger MiMi (秘密, “secret” in Chinese), and use it to attack Windows, Linux and macOS users.
Let me remind you that we also wrote that Chinese Hackers Use Ransomware As a Cover for Espionage, and also that Chinese hackers use Zimbra 0-day vulnerability to hack European media and authorities.
So, SEKOIA researchers write that MiMi for macOS version 2.3.0 was hacked almost four months ago, on May 26, 2022. The compromise was discovered during the analysis of the infrastructure of the HyperBro remote access trojan associated with APT27: the malware contacted the application, which seemed suspicious to the experts.
Trend Micro analysts have also noticed this campaign (independently of their colleagues) and now report that they have identified old trojanized versions of MiMi targeting Linux (rshell backdoor) and Windows (RAT HyperBro).
At the same time, the oldest sample of rshell for Linux is dated June 2021, and the first victim of this campaign became known back in mid-July 2021. In total, at least 13 different organizations in Taiwan and the Philippines were attacked, of which 8 were affected by rshell.
Hackers can use the malware to list files and folders, and read, write, and download files on compromised systems. In addition, the backdoor is able to steal data and send specific files to its control server.
According to experts, the connection of this campaign with APT27 is obvious. Thus, the cybercriminals’ infrastructure uses a range of IP addresses already known to information security specialists. In addition, similar campaigns have already been observed before, for example, a backdoor was introduced into the Able Desktop messenger (Operation StealthyTrident), and malicious code was packaged using the already known tool associated with APT27.
It is worth to emphasize that it is impossible to say that we are definitely talking about an attack on the supply chain. The fact is that according to Trend Micro, hackers clearly control the servers hosting the MiMi installers, and experts suggest that they are dealing with a compromise of a legitimate and not too popular messenger targeted at the Chinese audience.