Chinese Cyberspies Use Supply Chain Attack to Deliver Windows, macOS Malware

China-linked cyberespionage group Iron Tiger was observed using the compromised servers of a chat application for the delivery of malware to Windows and macOS systems, Trend Micro reports.

Also referred to as APT27, Bronze Union, Emissary Panda, Lucky Mouse, and TG-3390 (Threat Group 3390), Iron Tiger has been active since at least 2010, targeting hundreds of organizations worldwide for cyberespionage purposes.

As part of recent attacks, the advanced persistent threat (APT) group abused the compromised servers of MiMi – an instant messaging application available on Windows, macOS, Android, and iOS – for malware delivery. The desktop version of MiMi is built using the cross-platform framework ElectronJS.

“Iron Tiger compromised the server hosting the legitimate installers for this chat application for a supply chain attack,” says Trend Micro, which downloaded a malicious MiMi installer for macOS from the legitimate servers this June.

The sample would fetch ‘rshell’, a macOS backdoor that can collect system information and send it to the command and control (C&C) server, as well as execute commands received from its operators and send the results to the C&C.

Based on received commands, the backdoor can open or close a shell, execute commands in a shell, list directories, read files, write to a file, close a file, prepare files for download or upload, or delete files.

Trend Micro says it has discovered numerous rshell samples, including some targeting Linux. The oldest of these samples was uploaded in June 2021.

The security firm also found evidence that Iron Tiger had access to the servers for the MiMi installers since at least November 2021, when they modified Windows installers. macOS installers, however, were modified in May 2022.

According to Trend Micro, the attackers were leveraging their access to the MiMi servers to modify installers quickly after the developers released new application versions.

“We can see that it took an hour and a half for the attackers to modify the legitimate installer and add malicious code to it. For older versions, it took the attackers one day to inject its modifications,” Trend Micro says.

The security firm also points out that the trojanized applications managed to go unnoticed by users mainly because the legitimate MiMi installers are not signed, meaning that users would need to go through multiple system warnings during installation, something that MiMi users might have been accustomed with.

The modified Windows installers would download the HyperBro backdoor onto the victim’s system. This in-memory, custom backdoor can gather system information, upload or download files, manipulate files, list the contents of folders, execute shell commands, run applications, take screenshots, kill processes, inject code into processes, and manipulate services.

As part of these attacks, Iron Tiger appears to have targeted only victims in Taiwan and the Philippines: five targets of HyperBro and eight targets of rshell. Victimology falls in line with previous Iron Tiger operations.

Trend Micro says that it was able to identify only a single victim of these attacks, namely a Taiwanese gaming development company.

Related: Ransomware Attacks Linked to Chinese Cyberspies

Related: Telecom Sector Increasingly Targeted by Chinese Hackers: CrowdStrike

Related: China’s APT27 Hackers Use Array of Tools in Recent Attacks