"MiMi Chat App Backdoored by Chinese Hackers Attack Windows, macOS, Linux Users"
According to SEKOIA and Trend Micro, a new effort by the Chinese threat actor Lucky Mouse involves using a trojanized version of a cross-platform messaging software to backdoor devices. Infection chains use the chat program MiMi to obtain and install HyperBro samples for Windows and rshell artifacts for Linux and macOS. The attacks have targeted up to 13 different entities, eight of which have been hit with rshell and are all based in Taiwan and the Philippines. The first victim of rshell was reported in July 2021. Lucky Mouse, also known as APT27, Emissary Panda, Bronze Union, and Iron Tiger, has been active since 2013 and has a history of gaining access to specific networks to further its Chinese-aligned political and military intelligence-collection objectives. The Advanced Persistent Threat actor (APT) is skilled at stealing valuable information by using proprietary implants such as SysUpdate, HyperBro, and PlugX. Since Lucky Mouse controls the backend servers that host the MiMi app installers, it is possible to modify the program to retrieve the backdoors from a remote server, transforming the campaign into a supply chain attack. Rshell is a typical backdoor, allowing the execution of any arbitrary command-and-control (C2) server instructions and relaying the results back to the server. It's unclear whether MiMi is a legitimate chat program or if it was designed or repurposed as a surveillance tool. Still, Earth Berberoka (GamblingPuppet), a Chinese-speaking actor, has used the app to target online gambling sites, demonstrating how Chinese APT groups frequently share tools. This article continues to discuss the APT Lucky Mouse backdooring the MiMi chat program.