The threat actor Luckymouse (also known as Emissary Panda, APT27, Bronze Union and Iron Tiger) used a trojanized version of the cross-platform messaging app MiMi to backdoor devices across Windows, macOS and Linux operating systems.
The news comes from two different security reports, respectively published by SEKOIA and Trend Micro over the weekend.
After modifying installer files, Luckymouse would make the weaponized version of MiMi download and install remote access trojan (RAT) HyperBro samples for the Windows operating system and a Mach-O binary dubbed “rshell” for Linux and macOS.
“While this was not the first time the technique was used, this latest development shows Iron Tiger’s interest in compromising victims using the three major platforms: Windows, Linux and macOS,” read the Trend Micro advisory.
In terms of targets, the security researchers said they found 13 across Taiwan and the Philippines.
“While we were unable to identify all the targets, these targeting demographics demonstrate a geographical region of interest,” Trend Micro wrote. “Among those targets, we could only identify one of them: a Taiwanese gaming development company.”
The SEKOIA advisory, on the other hand, does not make assessments on the hackers’ motivation, but cautiously attributes the Luckymouse MiMi attacks to Chinese threat actors.
“As this application’s use in China appears low, it is plausible it was developed as a targeted surveillance tool,” read the document.
“It is also likely that, following social engineering carried out by the operators, targeted users are encouraged to download this application, purportedly to circumvent Chinese authorities’ censorship.”
“Regardless of LuckyMouse’s goals, it is of particular interest to observe the targeting of MacOS environment,” the advisory concluded. “SEKOIA assesses this [threat actor] will continue updating and improving their capabilities in the short-term.”
The attacks come roughly a year after Luckymouse was mentioned in the ESET list of advanced persistent threat (APT) groups exploiting Microsoft Exchange vulnerabilities.