Reports from cybersecurity firms SEKOIA and Trend Micro confirm that a new effort by the Chinese threat actor Lucky Mouse involves using a trojanized version of a cross-platform messaging software to backdoor devices. To obtain and install HyperBro samples for Windows and rshell artifacts for Linux and macOS, infection chains use the chat program MiMi, whose installation files have been hacked.
The attacks have affected up to 13 separate entities, eight of which have been struck with rshell, and they are all based in Taiwan and the Philippines. In the middle of July 2021, rshell’s first victim was reported. Lucky Mouse, also known as APT27, Emissary Panda, Bronze Union, and Iron Tiger, has been active since 2013 and has a track record of getting access to specific networks to further its Chinese-aligned political and military intelligence-collection goals.
The advanced persistent threat actor (APT) is skilled at employing a variety of proprietary implants, including SysUpdate, HyperBro, and PlugX, to steal valuable information. The most recent development is noteworthy for several reasons, not the least of which is that it is the threat actor’s first attempt to target macOS in addition to Windows and Linux.
Because Lucky Mouse controls the backend servers hosting the MiMi app installers, it is feasible to modify the program to retrieve the backdoors from a remote server, giving the campaign all the characteristics of a supply chain attack. This is supported by the fact that on May 26, 2022, malicious JavaScript code was included in the app’s macOS version 2.3.0. The earliest compromised macOS version may have been this one. However, versions 2.2.0 and 2.2.1 created for Windows have been detected to include comparable updates as early as November 23, 2021.
For its part, rshell is a typical backdoor with all the bells and whistles, enabling the execution of any arbitrary instructions from a command-and-control (C2) server and relaying the execution’s results back to the server. It’s unclear at this time whether MiMi is a legitimate chat program or if it was “designed or repurposed as a surveillance tool.” Still, another Chinese-speaking actor known as Earth Berberoka (GamblingPuppet) has used the app to target online gambling sites, yet another example of how Chinese APT groups frequently share tools.
The interconnections to infrastructure that had previously been recognized as being employed by the China-nexus intrusion set and the implementation of HyperBro, a backdoor used only by the hacking organization, are what give the operation its connections to Lucky Mouse. This isn’t the first time the adversary has resorted to using a chat app as a launchpad for its attacks, as SEKOIA notes. ESET revealed that HyperBro, PlugX, and a remote access trojan dubbed Tmanger were delivered to Mongolian targets via the popular chat program Able Desktop.
