Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Iron Tiger Group. Show all posts

Windows, Linux and macOS Users Hit by Chinese Iron Tiger

China-sponsored cyberhackers group Iron Tiger (aka LuckyMouse) has been exposed using the compromised servers of a chat application called MiMi to execute malware to Windows, Linux, and macOS systems. The primary targets of Iron Tiger in this campaign were located in Taiwan and the Philippines. 

Cybersecurity organizations Trend Micro and SEKOIA published a detailed report stating that the Iron Tiger organized a new cyberespionage campaign by the Iron Tiger, also known as Emissary Panda, Cycldek, Bronze Union, Goblin Panda Conimes, LuckyMouse, APT27, and Threat Group 3390 (TG-3390). This group has been active since at least 2010, victimizing hundreds of organizations worldwide for cyberespionage purposes. 

Additionally, the group has a history of working around targeted servers in pursuit of its political and military intelligence-collection objectives aligned with China. Trend Micro has identified one of the victims of this attack  a Taiwan-based gaming development firm that along with thirteen other entities was targeted. 

The advanced persistent threat (APT) group used the compromised servers of MiMi, a messaging application available on different platforms with its installer files compromised to download and install HyperBro samples for the Windows operating system and rshell artifacts for Windows, Android, macOS, and iOS. The desktop version of MiMi has been built using the cross-platform framework ElectronJS. 

“Iron Tiger compromised the server hosting the legitimate installers for this chat application for a supply chain attack,” says Trend Micro. 

Trend Micro has uncovered various rshell samples, including some targeting Linux. Prior samples were uploaded in June 2021. Further Sekoia wrote in its blog post that the campaign has all elements of a supply chain attack since the hackers control the host servers of the app.

“We noticed that a chat application named MiMi retrieved the rshell executable, an app we came across recently while investigating threat actor Earth Berberoka. We noticed Iron Tiger controlling the servers hosting the app installers of MiMi, suggesting a supply chain attack.” the trend microblog post read.