In recent attacks, cyberespionage group Iron Tiger abused the compromised servers of MiMi – an instant messaging application available on Windows, macOS, Android and iOS. The advanced persistent threat (APT) group used the server to deliver malware. The desktop version of the chat application is built using the cross-platform framework ElectronJS.
Iron Tiger has been active since around 2010. It is known to have targeted hundreds of organizations worldwide for cyberespionage purposes. The group is also referred to as APT27, Bronze Union, Emissary Panda, Lucky Mouse and TG-3390 (Threat Group 3390).
According to reports, Iron Tiger compromised the server hosting the legitimate installers of the chat installer for a supply chain attack. Trend Micro downloaded a malicious MiMi installer for macOS this June from the legitimate severs and later reported the ongoing complication.
The sample was capable of fetching ‘rshell’, a macOS backdoor. This can further collect system information and send it to the command and control (C&C) server. Along with it, it could execute commands that it receives from its operators and then sends the results to the C&C.
After that, based on the commands received, the backdoor can open or close a shell, execute commands in a shell, list our directories, read files, write to a file, close a file, prepare files for download or upload or even delete files.
Reports by Trend Micro asserted that they have found multiple rshell samples. This een includes some that targets Linux. The last of these samples was uploaded in June 2021.
