![]() ![]() The “Mi” Application is an Electron messaging app available for Android, iOS, Windows and MacOS platforms. This FLINT presents our findings on this campaign, including a description of the Rshell implant, and associated IOCs. Moreover, if this application is exclusively used by Chinese citizens, it would be the first time that we identified LuckyMouse involved in domestic surveillance. However, this is the first time that SEKOIA observed LuckyMouse targeting MacOS. In this campaign, Able Desktop was used to drop several implants, including PlugX, Tmanger and HyperBro, known to be a part of the LuckyMouse tool set. In 2020, our ESET fellows uncovered compromised versions of Able Desktop, a messaging application widely used in Mongolia in the “StealthyTrident” operation. This is not the first time a messaging application dropping an implant connecting to the LuckyMouse infrastructure is observed. It is also likely that, following social engineering carried out by the operators, targeted users are encouraged to download this application, purportedly to circumvent Chinese authorities’ censorship. As this application’s use in China appears low, it is plausible it was developed as a targeted surveillance tool. SEKOIA established that “MìMì” Messenger’s MacOS version is trojanized since to download and execute a Mach-O binary dubbed “rshell”.Īt this stage, SEKOIA is not able to assess the objective of this campaign. Mimi is a Chinese-speaking Electron App developed by Xiamen Baiquan Information Technology Co. Further investigation led to identify this application as “MìMì” (秘秘 – “secret”, aka Mi). During a review of the HyberBro Command and Control (C2) infrastructure linked to China-nexus LuckyMouse intrusion set, SEKOIA spotted an unusual connection with an application. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |