{"id":47959,"date":"2022-08-12T00:00:00","date_gmt":"2022-08-12T00:00:00","guid":{"rendered":"urn:uuid:ab266a61-63b3-5caa-6f8d-055ffd686bf5"},"modified":"2022-08-12T00:00:00","modified_gmt":"2022-08-12T00:00:00","slug":"iron-tiger-compromises-chat-application-mimi-targets-windows-mac-and-linux-users","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/iron-tiger-compromises-chat-application-mimi-targets-windows-mac-and-linux-users\/","title":{"rendered":"Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users"},"content":{"rendered":"

<\/p>\n

<\/div>\n

We confirmed that both the legitimate and the malicious versions of the chat installer were unsigned, which means the users of MiMi chat were probably used to all these extra steps to finally install the application despite all the macOS watchguards.<\/p>\n

HyperBro<\/b><\/p>\n

The HyperBro malware family has been around since 2017 and has been extensively analyzed<\/a>. It was updated in mid-2019, which we described in detail in our Operation DRBControl<\/a> paper.<\/p>\n

The version used in this campaign is no different from what we already described in our previous Iron Tiger<\/a> investigation. The only noteworthy element is the Authenticode signature of dlpprem32.dll, which is signed by a (now) revoked certificate belonging to \u201cCheetah Mobile Inc.\u201d The said company was formerly known as Kingsoft Internet Software Holdings Limited, wherein during our previous investigation<\/a> on the group, we already found one HyperBro DLL signed by a certificate belonging to Kingsoft.<\/p>\n

Targets<\/span><\/p>\n

We found 13 different targets while following our sensors\u2018 data. The only targeted countries were Taiwan and the Philippines: five targets of HyperBro (four in Taiwan and one in the Philippines). Meanwhile, we found eight targets for rshell: six in Taiwan, one in the Philippines, and one being in Taiwan and the Philippines.<\/p>\n

While we were unable to identify all the targets, these targeting demographics demonstrate a geographical region of interest for Iron Tiger. Among those targets, we could only identify one of them: a Taiwanese gaming development company. Interestingly, we found a sample from the Reptile rootkit framework in that same company, as well as network requests to a subdomain that belongs to Earth Berberoka\u2019s infrastructure.<\/p>\n

We also noticed network requests from a Taiwanese IT development company to the subdomain trust[.]veryssl[.]org<\/i>, and the subdomain center.veryssl[.]org<\/i> is a C&C for one of the rshell samples we found. This suggests the company could be compromised by the same threat actor.<\/p>\n

Timeline<\/span><\/p>\n