Overgeared

Photo by Gabriel Heinzer / Unsplash

Hackers uses a backdoored chat app to target Linux & MacOS

Cyber Security Aug 12, 2022

SEKOIA's Threat & Detection Research Team while review of the HyberBro Command and Control (C2) infrastructure linked to China-nexus LuckyMouse intrusion set, they spotted an unusual connection with an application.

MiMi (mimi = 秘密  = secret in Chinese) is an instant messaging application designed especially for Chinese users, with implementations for major desktop and mobile operating systems: Windows, macOS, Android, and iOS developed by Xiamen Baiquan Information Technology Co. Ltd.

The desktop versions are developed with the help of ElectronJS framework, which is a cross-platform framework based on Node.js, allowing the developers to create applications with HTML, Javascript (JS), and CSS.

SEKOIA established that “MìMì” Messenger’s MacOS version is trojanized since May 26, 2022

Trend Micro is a global leader in enterprise cloud security, XDR, and cybersecurity platform solutions for businesses, data centres, cloud environments. They noticed a server hosting both a HyperBro sample and a malicious Mach-O executable named “rshell.” and said they found old trojanized versions of MiMi targeting Linux (with rshell) and Windows (with HyperBro), with the oldest Linux rshell sample in June 2021 and the first victim being reported back in mid-July 2021.

Once launched, the malware will harvest and send system information to its C2 server and wait for commands from the APT27 threat actors.

The attackers can use it to list folders and files and to read, download, and write files on compromised systems. The backdoor also comes with support for an upload command that instructs it to send files to its C2 server.

SEKOIA says "Sekoia associate this activity to LuckyMouse with high confidence. It is plausible this activity indicates an expansion of LuckyMouse’s mandate, now including surveillance. However, as this Intrusion Set was mostly observed continuously carrying out espionage activities, notably against the technology and governmental sectors, SEKOIA assesses this hypothesis is unlikely."

Indicator Of Compromise (IOCs)

  • 103.79.76[.]88
  • 103.79.77[.]178
  • 139.180.216[.]65
  • 8c3be245cbbe9206a5d146017c14b8f965ab7045268033d70811d5bcc4b796ec
  • 3a9e72b3810b320fa6826a1273732fee7a8e2b2e5c0fd95b8c36bbab970e830a

Tags

Gagan

Recommended for you