An instant messenger application primarily used in China, MiMi, has been trojanized to deliver backdoors to steal data from macOS, Windows, and Linux, multiple reports suggest.

MiMi’s macOS compromised

Researchers from SEKOIA disclosed that the app’s macOS 2.3.0 version has been backdoored for around four months.
  • An unusual connection to this app was spotted while examining the C2 infrastructure of HyperBro RAT linked with APT27.
  • According to researchers, the malicious JS code inside MiMi's source code first ensures the app is running on a Mac device, then downloads and executes the rshell backdoor.

Linux and Windows infection

TrendMicro released a separate report about several variants of this same malware, targeting Mimi’s servers for a supply chain attack.
  • According to this report, the oldest Linux rshell sample dated back to June 2021, and the first victim was spotted in mid-July 2021.
  • Researchers further identified old trojanized versions of MiMi targeting Linux (with rshell) and Windows (with HyperBro RAT).

Post-infection actions

  • Once launched, the malware harvests and sends system details to the C2 server and waits for commands from APT27. 
  • The backdoor has support for an upload command to send files to its C2 server.
  • The attackers can use the malware to list folders/files and download and read/write files on infected systems.

Behind the attack

The malware has been associated with APT27 based on overlapping infrastructure using the same IP address range and TTPs.

Conclusion

The recent attack supports the fact that the APT27 group is expanding with new goals including surveillance. Its interest in Mac devices, and capabilities to attack all three major operating systems, namely Windows, Linux, and Max, make it a potential threat.
Cyware Publisher

Publisher

Cyware