The Chinese linked cyberespionage group Iron Tiger, or APT27, was identified by researchers at Trend Micro as exploiting the installers of the instant messaging framework MiMi. The group compromised the servers of MiMi and has maintained persistent access since November 2021, when they began deploying malicious installers for Windows and macOS.
APT27 uploaded a malicious MiMi installer for macOS to legitimate MiMi servers this June. The sample would fetch ‘rshell’, a macOS backdoor that can collect system information and send it to the Command and Control (C and C) server, as well as execute commands received from its operators and send the results to the C and C server. Based on received commands, the backdoor can open or close a shell, execute commands in a shell, list directories, read files, write to a file, close a file, prepare files for download or upload, or delete files.
The modified Windows installers would download the HyperBro backdoor onto the victim’s system. This in-memory, custom backdoor can gather system information, upload or download files, manipulate files, list the contents of folders, execute shell commands, run applications, take screenshots, kill processes, inject code into processes, and manipulate services.