Chinese Hackers Backdoor Chat App to Steal Data From Windows, Linux & macOS

The cybersecurity researchers at SEKOIA have recently identified a trojanized version of MiMi, which is primarily aimed at the Chinese market but is also cross-platform and can be used on many platforms.

The trojanized version of MiMi has delivered a new backdoor known as rshell that is capable of stealing data from the following platforms:-

  • Linux
  • macOS

After almost four months of being installed on version 2.3.0 of the app on macOS, the backdoor was discovered to have been installed. This was discovered when the team was looking at C2 infrastructure for the HyperBro RAT malware and noticed irregular connections to this app. 

While the most interesting thing about this malware is that there were several links between this malware and the Chinese-backed threat group APT27 (aka Emissary Panda, Iron Tiger, and LuckyMouse).

Also Read: Radically Simplifying Cybersecurity with Zero Trust Networking – Free E-Book

Technical Analysis

MiMi’s source code is infected with malicious JavaScript code that checks if the app is being run on a Mac device before injecting the malicious code. Following that, the shell backdoor is downloaded and executed by the Trojan.

On May 26, 2022, version 2.3.0 of was published with a trojanized “./” file.

Upon launch and distribution of the malware, the malware will collect and send system information to its C2 server in order to communicate with the APT27 threat actors awaiting their commands.

Using this application, attackers can list folders and files on compromised systems and access files through reading, downloading, and writing. 

It is also equipped with a very useful upload command, which can instruct the backdoor to upload files to the server on which the backdoor is installed.

Currently, there is no way for SEKOIA to determine whether this app is legitimate or whether it was repurposed from a spying application to a spying app in order to collect data.

RShell Mach-O implant

A C++ implementation is used to write the implant that was downloaded by its developers, named RShell. In order to connect with the C2 server, RShell backdoor attempts to establish a connection upon execution. 

A “Hello message” has been sent to the C2 server containing the following information:-

  • a random GUID, added to each response to the C2 server
  • the hostname
  • the IPv4 adresses
  • the type of connection (“login” for instance)
  • the current username
  • the kernel version

The C2 server sends a keep-alive message every 40 seconds to ensure continuity of connection. It is important that this message be echoed by the server.

SEKOIA strongly believes that LuckyMouse is behind this activity and is the one behind it that started it.

Considering that LuckyMouse’s mandate now includes surveillance, it is reasonable to assume that this activity indicates that its mandate has been expanded.

Download Free SWG – Secure Web Filtering – E-book

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.