A Chinese cross-platform instant chat app, MiMi, has been trojanised by threat actors to spread a new backdoor dubbed ‘rshell’. The threat actors can illegally use the backdoor to harvest data from macOS and Linux systems.
Researchers claimed that the application’s macOS 2.3.0 had been backdoored for at least four months since May.
The researcher uncovered the issue in MiMi app after spotting sketchy connections to the application while examining the C2 infrastructure for the HyperBro RAT malware connected to the APT27 Chinese-sponsored advanced persistent threat group.
The same campaign was also found with the old trojanised MiMi chat app versions that target Windows (with HyperBro) and Linux (with rshell). However, the rshell version used by the hackers last year was the oldest strain of Linux rshell, and its first victim was reported in the later months of July 2021.
Rshell will double-check the source code of the MiMi chat app before executing the attack.
The malware checks the malicious JavaScript code inside MiMi’s source code if the app runs on a Mac device. Once rshell confirms that it is in a macOS, it will download and execute itself as a SEKOIA.
Subsequently, the malware will gather and send system information to its command-and-control server and await commands from the APT27 threat group. The threat actors will then use the list folders and files to read, download, and write files on compromised systems.
Moreover, the backdoor supports an upload command that commands it to deliver stolen files to its command server.
Many researchers believed that the rshell malware was affiliated with the APT27 since there is an overlapping infrastructure using identical IP address ranges and similar attacks tactics. One of the similarities between the rshell backdoor and the APT group is that both can infect the Desktop messaging application in Operation StealthyTrident and load malicious code with the Dean Edwards JS packer.
Currently, the threat operators seem to be following a social engineering tactic that targets users and is encouraged them to download malicious applications to propagate and avoid Chinese app censorships.
