Windows, Linux and macOS Users Targeted by Chinese Iron Tiger APT Group

Chinese Espionage Group called Iron Tiger (aka LuckyMouse) is targeting Windows, Linux, and macOS Users with trojanized MiMi Chat app installers.

Cybersecurity firms Trend Micro and SEKOIA have identified a new malware campaign from Iron Tiger, a Chinese APT group also known as Emissary Panda, Goblin Panda Conimes, Cycldek, Bronze Union, LuckyMouse, APT27, and Threat Group 3390 (TG-3390).

The China-linked cyberespionage group is targeting Windows, Linux, macOS, and iOS users through trojanized versions of MiMi chat app installers. The primary targets of Iron Tiger in this campaign were located in Taiwan and the Philippines.

Trend Micro could identify one of the victims, a Taiwan-based gaming development firm, while overall, thirteen entities were targeted.

Detailed Analysis of Iron Tiger Spying Campaign

The group previously launched politically motivated, profiteering, and intelligence-gathering-driven cyberespionage campaigns. For instance, in June 2018, Iron Tiger APT was caught targeting a national data center of an unknown Central Asian country using a watering hole attack.

In March 2018, the same group was identified in a cyber attack against Pakistani government infrastructure. In April 2021, Iron Tiger APT was once again caught spying on Vietnam’s government and military organizations with FoundCore RAT.

Iron Tiger’s latest campaign was identified in June after Trend Micro researchers downloaded infected versions of MiMi’s iOS version.

In this campaign, Iron Tiger’s modus operandi involves compromising the MiMi Chat app servers to infect unsuspecting users’ devices. The app uses ElectronJS cross-platform framework for its desktop version.

According to Sekoia, The campaign has all elements of a supply chain attack since the app’s backend servers that host MiMi’s legit installers are controlled by the attackers. The modified MiMi installers download an in-memory, custom backdoor called HyperBro on the targeted device. 

Attackers Constantly Modified Chat App Installers to Deliver Malware

Researchers confirmed that Iron Tiger started accessing MiMi’s host server in November 2021. when the developers released new versions of the MiMi chat app, the malware operators further exploited their access to host servers to modify the installers quickly.

It only took one and a half hours for the malware operators to alter the legit installers, while for older versions, it took them a day only to perform the modification.

Malware Capabilities

According to their blog post, Trend Micro discovered various rshell samples, including one that targeted Linux. Researchers analyzed the iOS sample and identified that it fetched rshell backdoor for macOS and can collect system data and transmit it to a C2 server. It could also execute commands from the attackers and send results to the same C2 server.

Further probe revealed that the backdoor could open/close/execute commands in a shell, read, delete, or close files, list directories, and prepare files for uploading/downloading. As per the researchers, the oldest sample was uploaded in June 2021.

Watch ChainGuard’s CEO Dan Lorenc breaking down the attack:


Breaking down the recent supply chain attack on MiMi!#greenscreen #cybersecurity #softwaresecurity

♬ Love You So – The King Khan & BBQ Show

Why the Backdoored App Didn’t Raise Suspicion

Researchers pointed out that the MiMi chat app’s backdoored versions went unnoticed and didn’t raise any red flags because the legit installers weren’t signed. This means users would go through multiple system warnings when installing the app.

  1. Old crypto malware makes come back, hits Windows, Linux devices
  2. CrossRAT keylogging malware targets Linux, macOS & Windows PCs
  3. Multi-platform SysJoker backdoor Hit Windows, macOS, Linux Devices
  4. ElectroRat crypto-stealing malware hits macOS, Windows, Linux devices
  5. Chinese Hackers Distributing Nim language Malware in SMS Bomber Tool

Related Posts