Reports from cybersecurity firms SEKOIA and Trend Micro confirm that a new effort by the Chinese threat actor Lucky Mouse involves using a trojanized version of a cross-platform messaging software to backdoor devices.
An infection chains leverage a chat software identified as MiMi, with its installer documents compromised to down load and put in HyperBro samples for the Windows running program and rshell artifacts for Linux and macOS.
Lucky Mouse, also known as APT27, Emissary Panda, Bronze Union, and Iron Tiger, has been active since 2013 and has a track record of getting access to specific networks to further its Chinese-aligned political and military intelligence-collection goals.
The most recent development is noteworthy for several reasons, not the least of which is that it is the threat actor’s first attempt to target macOS in addition to Windows and Linux.
Because Lucky Mouse controls the backend servers hosting the MiMi app installers, it is feasible to modify the program to retrieve the backdoors from a remote server, giving the campaign all the characteristics of a supply chain attack. This is supported by the fact that on May 26, 2022, malicious JavaScript code was included in the app’s macOS version 2.3.0. The earliest compromised macOS version may have been this one. However, versions 2.2.0 and 2.2.1 created for Windows have been detected to include comparable updates as early as November 23, 2021.
It really is not straight away distinct if MiMi is a legitimate chat plan, or if it was “made or repurposed as a surveillance resource,” even though the application has been utilised by one more Chinese-speaking actor dubbed Earth Berberoka (aka GamblingPuppet) aimed at on-line gambling internet sites – at the time again indicative of the common device sharing among the Chinese APT teams.
The operation’s connections to Lucky Mouse stems from hyperlinks to instructure beforehand recognized as utilized by the China-nexus intrusion set and the deployment of HyperBro, a backdoor completely put to make use of by the hacker group.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment