Trojanized Mimi App: Chinese Hackers Steal Data Across Platforms

The discovery of Chinese hackers utilizing a trojanized version of the chat application MiMi to illicitly acquire data from Windows, Linux, and macOS devices has raised significant concerns about the security landscape. Researchers from SEKOIA identified a backdoor, named rshell, embedded within version 2.3.0 of MiMi on macOS. While the trojanized MiMi app primarily targeted the Chinese market, it was found to be capable of functioning across multiple platforms. Notably, the researchers established connections between the malware and the APT27 threat group, also known as Emissary Panda, Iron Tiger, and LuckyMouse, suggesting a potential collaboration. The malicious code infused into MiMi’s source code on Mac devices enables the Trojan to download and execute the shell backdoor, gather and transmit system information to a command and control server, as well as access and upload files. This discovery underscores the urgent need for heightened vigilance, secure app development practices, and comprehensive cybersecurity measures to address the growing challenges associated with data collection and espionage.

Key Takeaways

• The Trojanized version of MiMi, a chat app primarily aimed at the Chinese market, has been found to have a backdoor known as rshell capable of stealing data on multiple platforms including Windows, Linux, and macOS.
• There are links between the malware in the Trojanized MiMi app and the APT27 threat group, suggesting possible collaboration and raising concerns about data collection and spying.
• The technical analysis of MiMi reveals that the malicious JavaScript code is injected when the app runs on a Mac device, allowing the Trojan to download and execute a shell backdoor, collect system information, and access and upload files.
• The activity of the LuckyMouse threat group, believed to be behind the Trojanized MiMi app, has expanded to include surveillance, raising concerns about increased spying and data collection, and highlighting the need for increased vigilance and protection measures.

Malicious MiMi Variant

The trojanized version of MiMi, a chat app primarily targeting the Chinese market but also compatible with Linux and macOS, has been found to contain a backdoor known as rshell capable of stealing data, with the malicious code injected into the app’s source code when it runs on a Mac device. This discovery has significant implications for cross-platform malware, as it highlights the vulnerability of different operating systems and the importance of securing devices and data across platforms. The detection and prevention of trojanized apps like this variant of MiMi is crucial in maintaining cybersecurity. Users should verify the legitimacy of apps before installation and ensure the secure development and distribution of apps. Continuous monitoring and threat intelligence sharing are also recommended, along with the implementation of comprehensive cybersecurity measures and proactive defense and incident response capabilities.

Connection to APT27

Links have been discovered between the malware and APT27, a Chinese-backed threat group also known as Emissary Panda, Iron Tiger, and LuckyMouse, suggesting potential collaboration. This collaboration between LuckyMouse and APT27 has significant implications for cybersecurity and privacy.

To further understand the impact of LuckyMouse’s expanded mandate on cybersecurity and privacy, consider the following:

1. LuckyMouse’s collaboration with APT27 in data theft operations: The connection between the trojanized MiMi app and APT27 indicates a joint effort to steal data across multiple platforms. This collaboration allows for a more sophisticated and coordinated approach to cyber espionage.

2. The impact of LuckyMouse’s expanded mandate on cybersecurity: LuckyMouse’s expanded mandate, which now includes surveillance, raises concerns about increased spying and data collection. This poses a significant threat to individuals, organizations, and national security.

3. The impact of LuckyMouse’s expanded mandate on privacy: With the expansion of its mandate, LuckyMouse’s activities encroach upon individuals‘ privacy. The unauthorized access and data exfiltration conducted by this threat group can result in the compromise of sensitive information and personal privacy.

4. The need for robust cybersecurity strategies: The collaboration between LuckyMouse and APT27 highlights the evolving tactics and techniques of cybercriminals. It underscores the importance of implementing comprehensive cybersecurity measures to protect against such threats and vulnerabilities. Proactive defense and incident response capabilities are essential to effectively counter these sophisticated attacks.

Technical Analysis

Researchers have conducted a technical analysis of the compromised chat application, uncovering the methods employed by the threat actors to infiltrate and exploit the targeted systems. The analysis revealed that the malicious JavaScript code was injected into the source code of the MiMi app, which executed when the app ran on a Mac device. This code downloaded and executed a shell backdoor known as rshell, allowing the attackers to steal data from the infected system. The malware also collected and sent system information to a command and control (C2) server, enabling the attackers to list folders and files, as well as access and upload files. This technical analysis highlights the importance of securing cross-platform applications and mitigating the risks of data theft from trojanized apps.

Expanding LuckyMouse’s Mandate

Expanding LuckyMouse’s mandate to include surveillance raises concerns about the potential for increased spying and data collection, highlighting the need for heightened cybersecurity measures and vigilance in protecting sensitive information. LuckyMouse, also known as APT27, was previously associated with cyber espionage campaigns targeting governments and organizations. However, their recent activity indicates an expansion of their scope towards surveillance. This development has significant implications for privacy and cybersecurity, as it suggests an escalation in data collection efforts by Chinese-backed threat actors. Increased surveillance capabilities enable threat actors to gather sensitive information, potentially compromising individuals and organizations. To mitigate these risks, it is crucial to implement comprehensive cybersecurity measures, stay updated with the latest threats, and foster collaborative efforts to combat cyber threats. The protection of privacy and the preservation of cybersecurity require continuous vigilance and proactive defense strategies.

SEKOIA’s Recommendations

SEKOIA’s recommendations focus on verifying the legitimacy of applications before installation, emphasizing secure app development and distribution, encouraging continuous monitoring and threat intelligence sharing, and urging the implementation of comprehensive cybersecurity measures. These recommendations highlight the importance of secure app development and distribution in order to prevent the infiltration of trojanized apps like the MiMi app. By verifying the legitimacy of apps before installation, users can ensure that their devices are not compromised by malicious software. Additionally, continuous monitoring and threat intelligence sharing are crucial for staying updated with the latest threats and vulnerabilities. This proactive approach enables organizations to detect and respond to potential cyber threats in a timely manner. Implementing comprehensive cybersecurity measures is essential to protect sensitive data and mitigate the risk of unauthorized access or data exfiltration.

Frequently Asked Questions

How does the trojanized version of MiMi app infect Mac devices?

The trojanized version of the MiMi app infects Mac devices by injecting malicious JavaScript code into the app’s source code. When the app runs on a Mac device, the trojan downloads and executes a shell backdoor, allowing attackers to collect and send system information to a command and control server. To protect Mac devices from trojanized apps, strategies such as verifying the legitimacy of apps before installation, implementing secure app development and distribution practices, continuous monitoring, and threat intelligence sharing should be employed.

What type of data can the backdoor known as rshell steal from infected devices?

The backdoor known as rshell is capable of stealing various types of data from infected devices. This includes system information, access to folders and files, and the ability to upload files, potentially leading to significant data breaches and privacy violations.

What evidence links the malware to the APT27 threat group?

Attribution challenges make it difficult to definitively link the malware to the APT27 threat group. To protect their data across different operating systems, organizations should implement comprehensive cybersecurity measures and continuously monitor for threats.

How does the RShell Mach-O implant establish a connection with the C2 server?

The RShell Mach-O implant establishes a connection with the C2 server by sending a hello message with random GUID, hostname, IP addresses, connection type, and username. The C2 server sends a keep-alive message every 40 seconds.

The potential implications of the Trojanized MiMi app for cross-platform data theft include the vulnerability of different operating systems, the need for comprehensive cybersecurity measures, and the importance of securing devices and data across platforms.

What are SEKOIA’s recommendations for preventing similar attacks in the future?

Preventive measures and security best practices recommended by SEKOIA to prevent similar attacks in the future include verifying app legitimacy, ensuring secure app development and distribution, continuous monitoring, implementing comprehensive cybersecurity measures, and having proactive defense and incident response capabilities.