Recent investigations by cybersecurity firms SEKOIA and Trend Micro have uncovered a new campaign led by the Chinese threat actor known as Lucky Mouse. This operation involves deploying a compromised version of the MiMi chat application, which serves as a vector for backdoor attacks on systems across multiple platforms.
The infection chain begins when users download the MiMi application. The installer files have been manipulated to download malicious payloads, specifically HyperBro for Windows systems, and rshell for Linux and macOS devices. There are reports indicating that a total of 13 entities in Taiwan and the Philippines have fallen victim to these attacks, with eight confirmed instances involving the exploitation of rshell. The first identification of this exploitation occurred in mid-July 2021.
Lucky Mouse, also identified by various other names such as APT27 and Iron Tiger, has been active since 2013, focusing on political and military espionage in alignment with Chinese state interests. Its operations often include advanced tactics for exfiltrating sensitive data, utilizing a wide variety of custom-built implants like SysUpdate, HyperBro, and PlugX.
The significance of this latest campaign lies in Lucky Mouse’s new targeting of macOS systems, alongside its traditional focus on Windows and Linux. This represents a notable expansion of its attack methods, highlighting a broader strategy in their persistent threat landscape.
The campaign exhibits characteristics of a supply chain attack—the backend servers that host the MiMi application installers are controlled by Lucky Mouse. This gives the actor the capability to modify the application to retrieve malicious code from remote servers. A critical point of compromise was identified on May 26, 2022, when the macOS version 2.3.0 was tainted to include malicious JavaScript code. Earlier versions for Windows, specifically 2.2.0 and 2.2.1, also contained similar malicious inserts.
The rshell backdoor plays a pivotal role in this attack, allowing attackers to execute arbitrary commands received from a command-and-control (C2) server while sending back execution results. This method aligns with several tactics outlined in the MITRE ATT&CK framework, including initial access, persistence, and command and control.
Although the origins of the MiMi app remain somewhat murky, it has previously been leveraged by another Chinese-speaking threat actor known as Earth Berberoka, emphasizing the trend of tool sharing among APT groups operating in this region.
Connections to Lucky Mouse are further validated through shared infrastructure previously linked to their activity and the exclusive use of HyperBro, reinforcing the actor’s operational patterns.
This isn’t Lucky Mouse’s first exploit of a messaging application; similar tactics were noted in late 2020 when the ESET security team disclosed that the Able Desktop chat software was misused to deliver various payloads, including HyperBro and PlugX, targeting organizations in Mongolia.
For business owners concerned about cybersecurity, these developments underscore the necessity for heightened vigilance and robust security measures to protect against sophisticated and evolving cyber threats.
