Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Chinese Cyberspies Use Supply Chain Attack to Deliver Windows, macOS Malware

China-linked cyberespionage group Iron Tiger was observed using the compromised servers of a chat application for the delivery of malware to Windows and macOS systems, Trend Micro reports.

China-linked cyberespionage group Iron Tiger was observed using the compromised servers of a chat application for the delivery of malware to Windows and macOS systems, Trend Micro reports.

Also referred to as APT27, Bronze Union, Emissary Panda, Lucky Mouse, and TG-3390 (Threat Group 3390), Iron Tiger has been active since at least 2010, targeting hundreds of organizations worldwide for cyberespionage purposes.

As part of recent attacks, the advanced persistent threat (APT) group abused the compromised servers of MiMi – an instant messaging application available on Windows, macOS, Android, and iOS – for malware delivery. The desktop version of MiMi is built using the cross-platform framework ElectronJS.

“Iron Tiger compromised the server hosting the legitimate installers for this chat application for a supply chain attack,” says Trend Micro, which downloaded a malicious MiMi installer for macOS from the legitimate servers this June.

The sample would fetch ‘rshell’, a macOS backdoor that can collect system information and send it to the command and control (C&C) server, as well as execute commands received from its operators and send the results to the C&C.

Based on received commands, the backdoor can open or close a shell, execute commands in a shell, list directories, read files, write to a file, close a file, prepare files for download or upload, or delete files.

Trend Micro says it has discovered numerous rshell samples, including some targeting Linux. The oldest of these samples was uploaded in June 2021.

The security firm also found evidence that Iron Tiger had access to the servers for the MiMi installers since at least November 2021, when they modified Windows installers. macOS installers, however, were modified in May 2022.

Advertisement. Scroll to continue reading.

According to Trend Micro, the attackers were leveraging their access to the MiMi servers to modify installers quickly after the developers released new application versions.

“We can see that it took an hour and a half for the attackers to modify the legitimate installer and add malicious code to it. For older versions, it took the attackers one day to inject its modifications,” Trend Micro says.

The security firm also points out that the trojanized applications managed to go unnoticed by users mainly because the legitimate MiMi installers are not signed, meaning that users would need to go through multiple system warnings during installation, something that MiMi users might have been accustomed with.

The modified Windows installers would download the HyperBro backdoor onto the victim’s system. This in-memory, custom backdoor can gather system information, upload or download files, manipulate files, list the contents of folders, execute shell commands, run applications, take screenshots, kill processes, inject code into processes, and manipulate services.

As part of these attacks, Iron Tiger appears to have targeted only victims in Taiwan and the Philippines: five targets of HyperBro and eight targets of rshell. Victimology falls in line with previous Iron Tiger operations.

Trend Micro says that it was able to identify only a single victim of these attacks, namely a Taiwanese gaming development company.

Related: Ransomware Attacks Linked to Chinese Cyberspies

Related: Telecom Sector Increasingly Targeted by Chinese Hackers: CrowdStrike

Related: China’s APT27 Hackers Use Array of Tools in Recent Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.