Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users

We confirmed that both the legitimate and the malicious versions of the chat installer were unsigned, which means the users of MiMi chat were probably used to all these extra steps to finally install the application despite all the macOS watchguards.

HyperBro

The HyperBro malware family has been around since 2017 and has been extensively analyzed. It was updated in mid-2019, which we described in detail in our Operation DRBControl paper.

The version used in this campaign is no different from what we already described in our previous Iron Tiger investigation. The only noteworthy element is the Authenticode signature of dlpprem32.dll, which is signed by a (now) revoked certificate belonging to “Cheetah Mobile Inc.” The said company was formerly known as Kingsoft Internet Software Holdings Limited, wherein during our previous investigation on the group, we already found one HyperBro DLL signed by a certificate belonging to Kingsoft.

Targets

We found 13 different targets while following our sensors‘ data. The only targeted countries were Taiwan and the Philippines: five targets of HyperBro (four in Taiwan and one in the Philippines). Meanwhile, we found eight targets for rshell: six in Taiwan, one in the Philippines, and one being in Taiwan and the Philippines.

While we were unable to identify all the targets, these targeting demographics demonstrate a geographical region of interest for Iron Tiger. Among those targets, we could only identify one of them: a Taiwanese gaming development company. Interestingly, we found a sample from the Reptile rootkit framework in that same company, as well as network requests to a subdomain that belongs to Earth Berberoka’s infrastructure.

We also noticed network requests from a Taiwanese IT development company to the subdomain trust[.]veryssl[.]org, and the subdomain center.veryssl[.]org is a C&C for one of the rshell samples we found. This suggests the company could be compromised by the same threat actor.

Timeline

  • June 2021: Oldest Linux rshell sample found
  • November 2021: Threat actor modified version 2.2.0 of Windows MiMi chat installer to download and execute HyperBro backdoor
  • May 2021: Threat actor modified version 2.3.0 of Mac OS MiMi chat installer to download and execute “rshell” backdoor

Attribution and conclusion

We attribute this campaign to Iron Tiger for multiple reasons. First, the dlpprem32.dll file linked to HyperBro shares certain characteristics (specifically imphash, RICH header) with previous samples already attributed to the group. Also, the file names involved in the decoding and loading of HyperBro are similar to those we witnessed during our investigation last year.

Second, one of the Linux rshell samples used the IP address 45[.]142[.]214[.]193 as its C&C. In 2020, that IP address had a particular reverse DNS: nbaya0u2[.]example[.]com. During our Operation DRBControl investigation, we found a HyperBro sample that had 138[.]124[.]180[.]108 as its C&C. This second IP address had nbaya0u1[.]example[.]com as its reverse DNS. However, as the rshell sample was found in 2021, we initially did not find this correlation strong enough to attribute the rshellmalware family to Iron Tiger.

Despite the fact that same state-sponsored threat actors tend to share their malware tools (such as gh0st, PlugX, and Shadowpad), this is not the case for HyperBro as far as we know. The fact that we found this malware being used in this campaign is an additional indicator pointing towards Iron Tiger.

We also found some links to Earth Berberoka. From one of the victims where we found an rshell sample, we also found a binary belonging to the Reptile rootkit framework, a rootkit identified as part of the arsenal of Earth Berberoka. We also noticed network communications from this victim to a subdomain of Earth Berberoka, suggesting it could have been previously compromised by this threat actor. We noticed a different system in the same situation, as well as the network connections to the subdomain trust[.]veryssl[.]org domain name. One of the rshell samples had center[.]veryssl[.]org as the C&C. Both findings suggest that those victims could be compromised by both threat actors, or that Earth Berberoka is actually a subgroup of Iron Tiger. As a reminder, while investigating Earth Berberoka, we found multiple links to Iron Tiger that we detailed in our research.

Indicators of Compromise (IOCs)

You will find the list of IOCs here.

Read More HERE