Posted on August 16, 2022 at 8:42 AM

Chinese Hackers Compromise MiMi Chap App To Target Windows And macOS users

Recent reports from cybersecurity firms Trend Micro and SEKOIA revealed a campaign carried out by a Chinese threat actor named Lucky Mouse. According to the reports, the hacking campaign involves backdooring systems by leveraging a trojanized version of a cross-platform messaging app.

The infected chains take advantage of a chap app known as MiMi, with its installer files breached for downloading and installing HyperBro samples for rshell artifacts and Windows operating system for macOS and Linux.

No less than 13 different entities in the Philippines and Taiwan have become victims of the new threat, with eight of them being at the receiving end of rshell. 

Lucky Mouse comes with different other pseudonyms, including Emissary Panda, Bronze Union, Iron Tiger, and APT27. The campaign has been active in the wild since 2013. It is notorious for gaining unauthorized access to targeted networks in line with its military and political intelligence collection linked with China.

The threat actor is also sophisticated in an idle range of attack modules. It is known for compromising high-value data using different custom implants such as PlugX, HyperBro, and SysUpdate. While the threat has been existing for years, it has changed strategies and attack strength in recent times. It is the first time the threat actor is attempting to target macOS as well as Linux and Windows.

A Supply Chain Attack 

Based on the contents of the reports, the attack has all the features of a supply chain attack. Lucky Mouse controls the backend servers that host the app installers of MiMi. This makes it easier for the hackers to alter the app to gain the backdoors from a remote server.

The hackers also tweaked the macOS version 2.3.0 to deliver the malicious JavaScrpt code on May 26, 2022. Although it may not be the first breached macOS variant, other versions like 2.2.0 and 2.2.1 for windows have been seen incorporating similar additions as early as November last year.

On its part, rshell is a standard backdoor that has all the normal features and signs that enable the arbitrary execution of commands received from a command and control (C2) server. The C2 server also transmits the results of the execution back to the server.

The Operation Is Linked To Lucky Mouse 

The security firms are still monitoring the activities of MiMi. So, it’s not clear whether it was designed as a surveillance tool or as a legitimate chat program. This is not the first time the app will be used, as it was also used by another Chinese-speaking hacker with the name Earth Berberoka. When it was used by this hacker, the app was channeled to online gambling sites. This wows that the tool is widely shared among Chinese-speaking threat actors.

The operation’s link to Lucky Mouse comes from the propensity to manipulate instructions formerly identified as utilized by the Chinese-nexus intrusion set. The attack is also related to the deployment of Hyperbro, a backdoor that is being used by the threat group.

SEKOIA noted that it will not be the first time this type of threat has been seen in the wild. It is also not the first time it has led to the use of messaging apps as a set-off point in its attacks. 

Nearly two years ago, cybersecurity outfit ESET revealed that a popular chat software known as Able Desktop was compromised to deliver PlugX, HyperBro, and a remote access Trojan known as Tmanger.   

The First Victim Was Reported In July Last Year 

TrendMicro also reported that it detected the same malware campaign. The security firm noted that it discovered a trojanized version of MiMi targeting Windows (with ByperBro) and Linux (with rshell). The first victim was reported back in mid-July 2021 while the oldest Linux rshell sample was in June 2021.

The malicious JavaScript implanted in MiMi’s source code first finds out whether the app runs on a Mac device. After gaining these details, it then downloads and executes the rshell backdoor, according to SEKOIA. When it launches, the malware harvests and sends system information to the Cr server and waits to receive commends from the APT27 hackers.

The threat actors can use it to list files and folders while reading, downloading, and writing files on compromised systems becomes possible. Additionally, the backdoor can be supported by an upload command that can instruct it to send files to the hackers’ server.