The Chinese linked cyberespionage group Iron Tiger, or APT27, was identified by researchers at Trend Micro as exploiting the installers of the instant messaging framework MiMi. The group compromised the servers of MiMi and has maintained persistent access since November 2021, when they began deploying malicious installers for Windows and macOS.
APT27 uploaded a malicious MiMi installer for macOS to legitimate MiMi servers this June. The sample would fetch ‘rshell’, a macOS backdoor that can collect system information and send it to the Command and Control (C and C) server, as well as execute commands received from its operators and send the results to the C and C server. Based on received commands, the backdoor can open or close a shell, execute commands in a shell, list directories, read files, write to a file, close a file, prepare files for download or upload, or delete files.
The modified Windows installers would download the HyperBro backdoor onto the victim’s system. This in-memory, custom backdoor can gather system information, upload or download files, manipulate files, list the contents of folders, execute shell commands, run applications, take screenshots, kill processes, inject code into processes, and manipulate services.
According to Trend Micro researchers, APT27 would wait until a new version of MiMi was pushed by developers; within an hour-and-a-half of the new version being released, the threat actors would modify the installer to infect victims. Most of the attacks went unnoticed by victims due to the legitimate MiMi installers being unsigned. When the legitimate installers are downloaded, users must click through many warnings on their machine, so the compromised installers were not viewed as suspicious. Iron Tiger was seen targeting victims in the Philippines and Taiwan, which is consistent with their established Modus Operandi. Researchers have determined that the threat actors deployed the HyperBro backdoor on five of the targets, and deployed rshell on eight of the targets. While the risks from supply chain compromise remain difficult to control, an active vulnerability management program and a strict allow list of third-party applications will assist with mitigating these attacks. Moreover, a defense in depth security program with a focus on detecting post exploitation malicious behaviors remains the best approach to a threat environment that includes zero-day vulnerabilities and supply chain compromise.