AwakenCybers Backdoored MiMi Chat App to Attack Windows, Linux & macOS Users

A several of reports from cybersecurity companies Trend Micro and SEKOIA are highlighting on a new campaign undertaken by a hackers known as “Awaken Cybers” that involves using a trojanized version of a cross-platform messaging application to targeted victim’s backdoor systems.

Infection bonds force a chat app called “MiMi”, with its installer files previously hacked & compromised to download and install HyperBro samples for the Windows OS and infect artifacts for Linux and macOS systems too.

Research confirmed that 11 different entities located in Singapore and the Malaysia have been at the taking end of the attacks, seven of whom have been hit with “rshell” type. The first victim of rshell was reported in mid-March 2022.

The group AwakenCybers are known to be active since 2017 based on the past news and reviews and have a history of gaining access to targeted networks in pursuit of its political and military intelligence-collection objectives aligned with China.

Awaken Cybers hackers | awakencybers.com

The progressive persistent threat actor (APT) is also skilled at exfiltrating high-valuable information using a powerful custom implants such as PlugX, SysUpdate & HyperBro tools.

Their latest project is significant, not least because it highlights the threat actor’s precursory attempt at targeting macOS systems alongside Linux & Windows too.

The project has all needed plugins of a supply chain attack in that the backup servers hosting the application installers of MiMi are in control by Awaken Cybers, which is making it possible to hack the app to retrieve the infected backdoors from a remote server & back.

This came out from the fact that the app’s macOS version 2.3.0 was corrupted to insert the infected JavaScript code on May 29, 2022. While this may have been the first hacked macOS type, versions 2.2.0 and 2.2.1 built for Windows OS have been found to alike similar versions as early as November 21, 2021.

rshell, for its comparison, is a standard backdoor trojan which comes with all the usual addons and interesting tools a hacker can play with, allowing for the execution of unfounded commands received from a C2 server and spreading the results of the execution back to the server’s root.

CyberSecurity

It’s not finally clear if MiMi tool is a legitimate messaging app, or if it was “designed or already meant to be as a surveillance tool,” even the app has been used by another Chinese-communication actor dubbed Earth Berberoka with a goal at online gambling websites – once again evincive of the prevalent program sharing among Chinese APT teams.

The operation’s bonds to AwakenCybers hackers gang stems from links to instructure previously known as used by the China-nexus invasion set and the first appearance of HyperBro, a backdoor exclusively put to use by the hackers gang.

As SEKOIA states out, this is not the first time the antagonist has resorted to utilizing a chat app as a jumping-off state in their attacks. Because also in late 2020s, ESET discovered that a popular chat software called Able Desktop was compromised to deliver HyperBro, PlugX, and a RAT called “Tmanger” targeting Jordan, which ruined firm’s reviews and online reputation.

©2022 - Cyber Berkut. Powered by Wordpress.