Security firms SEKOIA and Trend Micro uncovered a new campaign by a Chinese hacker group named Lucky Mouse. The hackers use malicious versions of cross-platform messaging app Line to backdoor systems.
The malware is spread through a chat application named MiMi, which has its installer files compromised with HyperBro samples for Windows and rshell artifacts for Linux and macOS.
As many as 13 different entities located in Taiwan and the Philippines have been at the receiving end of the attacks, eight of whom have been hit with rshell. The first victim of rshell was reported in mid-July 2021.
Lucky Mouse has been active since 2013 and successfully gained access to the networks of its targets in pursuit of political and military intelligence collection aligned with China.
The advanced persistent threat actor is also adept at exfiltrating high-value information using a range of custom implants such as SysUpdate, HyperBro and PlugX.
The latest development is significant because it shows that the threat actor has finally decided to attack macOS in addition to Windows and Linux.
The campaign has all the hallmarks of a supply chain attack in that MiMi’s app installers are hosted by Lucky Mouse. This makes it possible to tweak these apps to retrieve backdoors from remote servers.
This is because the macOS app was compromised on May 26, 2022. That may have been one of the first times a compromise occurred in MacOS, but versions 2.2 and after were also found to be tampered with by November 23rd 2021 for Windows users as well.
rshell is a standard backdoor that comes with all the usual bells-and-whistles and allows for executing arbitrary commands received from C2 server.
It is not immediately clear if MiMi is a legitimate chat program or designed as surveillance tool. While the app has been used by another Chinese-speaking actor dubbed Earth Berberoka (aka GamblingPuppet) aimed at online gambling sites — once again indicative of prevalent use of tools among actors and groups with China nexus.
The operation’s connections to Lucky Mouse stems from links to instructure previously identified as used by intrusions set and deployment HyperBro, backdoor exclusively put in place only for hackers group – known under nickname “LuckyMouse.”
SEKOIA notes that this is not the first time a messaging app has been used to launch attacks. In late 2020, ESET discovered that popular chat software called Able Desktop was being exploited for delivering HyperBro and PlugX malware targeting Mongolia.