Versions of a cross-platform instant messenger application focused on the Chinese market known as ‘MiMi’ have been trojanized to deliver a new backdoor (dubbed rshell) that can be used to steal data from Linux and macOS systems.
SEKOIA’s Threat & Detection Research Team says that the app’s macOS 2.3.0 version has been backdoored for almost four months, since May 26, 2022.
They discovered this after noticing unusual connections to this app while analyzing command-and-control (C2) infrastructure for the HyperBro remote access trojan (RAT) malware linked to the APT27 Chinese-backed threat group.
TrendMicro also reported detecting the same campaign and said it found old trojanized versions of MiMi targeting Linux (with rshell) and Windows (with HyperBro), with the oldest Linux rshell sample in June 2021 and the first victim being reported back in mid-July 2021.
The malicious JavaScript code implanted in MiMi’s source code first checks if the app runs on a Mac device and then downloads and executes the rshell backdoor, as SEKOIA discovered.
Once launched, the malware will harvest and send system information to its C2 server and wait for commands from the APT27 threat actors.
The attackers can use it to list folders and files and to read, download, and write files on compromised systems. The backdoor also comes with support for an upload command that instructs it to send files to its C2 server.
The malware was linked to APT27 based on overlapping infrastructure using the same IP address range and common tactics (backdooring Able Desktop messaging app in Operation StealthyTrident and packing malicious code with the Dean Edwards Javascript packer).
“At this stage, SEKOIA is not able to assess the objective of this campaign. As this application’s use in China appears low, it is plausible it was developed as a targeted surveillance tool,” the researchers said.
“It is also likely that, following social engineering carried out by the operators, targeted users are encouraged to download this application, purportedly to circumvent Chinese authorities’ censorship.”
Also targeting Zoho and Exchange servers
APT27 (aka Emissary Panda, Iron Tiger, and LuckyMouse) is a Chinese-backed threat group active for over a decade (since at least 2010) and known for its focus on cyber espionage and information theft campaigns.
Since March 2021, the group has been breaching and infecting servers running vulnerable Zoho AdSelf Service Plus software—a password management solution for cloud apps and Active Directory—with several malware strains, including the HyperBro RAT.
These attacks compromised at least nine entities from critical sectors worldwide, including defense, healthcare, energy, and technology.
In January, the BfV German domestic intelligence services (short for Bundesamt für Verfassungsschutz) also warned of APT27 attacks against German commercial organizations using the same tactic.
APT27 and other Chinese-sponsored threat groups have also been linked in the past to attacks exploiting ProxyLogon bugs starting with early March 2021 and allowing them to steal data from unpatched Microsoft Exchange servers worldwide.