We have confirmed that both the legitimate and malicious versions of the chat installer are unsigned, which means MiMi chat users were probably used to all those extra steps to finally install the app despite all the caveats. mad macOS.
The HyperBro malware family has been around since 2017 and has been thoroughly analyzed. It was updated in mid-2019, which we described in detail in our article on the DRBControl operation.
The version used in this campaign is no different from the one we have already described in our previous Iron Tiger investigation. The only noteworthy item is the Authenticode signature of dlpprem32.dll, which is signed by a (now) revoked certificate belonging to “Cheetah Mobile Inc.” The said company was formerly known as Kingsoft Internet Software Holdings Limited, where during our previous investigation of the group, we have already found one HyperBro DLL signed by a certificate belonging to Kingsoft.
We found 13 different targets by tracking data from our sensors. The only countries targeted were Taiwan and the Philippines: five HyperBro targets (four in Taiwan and one in the Philippines). During this time, we found eight targets for rshell: six in Taiwan, one in the Philippines, and one in Taiwan and the Philippines.
While we were unable to identify all targets, these targeting demographics demonstrate a geographic region of interest to Iron Tiger. Of these targets, we were only able to identify one: a Taiwanese game development company. Interestingly, we found a sample of the Reptile rootkit framework at this same company, along with network requests to a subdomain belonging to the Earth Berberoka infrastructure.
We also noticed network requests from a Taiwanese IT development company to the subdomain trust[.]very SSL[.]organd the subdomain centre.veryssl[.]org is a C&C for one of the rshell samples we found. This suggests that the business could be compromised by the same threat actor.
- June 2021: Oldest Linux rshell sample found
- November 2021: Threat actor modified Windows MiMi chat installer version 2.2.0 to download and run HyperBro backdoor
- May 2021: Threat actor modified Mac OS MiMi chat installer version 2.3.0 to download and run ‘rshell’ backdoor
Award and Conclusion
We attribute this campaign to Iron Tiger for several reasons. First the dlpprem32.dll The file linked to HyperBro shares some characteristics (especially the emphasis, the RICH header) with the previous samples already assigned to the group. Additionally, the filenames involved in decoding and loading HyperBro are similar to those we witnessed during our investigation last year.
Second, one of the Linux rshell examples used IP address 45[.]142[.]214[.]193 as its C&C. In 2020, this IP address had a particular reverse DNS: nbaya0u2[.]Example[.]com. During our investigation of Operation DRBControl, we found a HyperBro sample that had 138[.]124[.]180[.]108 as its C&C. This second IP address had nbaya0u1[.]Example[.]com like its reverse DNS. However, since the rshell sample was found in 2021, we initially did not find this correlation strong enough to attribute the rshellmalware family to Iron Tiger.
Despite the fact that the same state-sponsored threat actors tend to share their malicious tools (such as gh0st, PlugX, and Shadowpad), this is not the case for HyperBro as far as we know. The fact that we found this malware being used in this campaign is an additional indicator pointing to Iron Tiger.
We also found links to Earth Berberoka. In one of the victims where we found a sample of rshell, we also found a binary belonging to the Reptile rootkit framework, a rootkit identified as part of Earth Berberoka’s arsenal. We have also noticed network communications from this victim to a subdomain of Earth Berberoka, which suggests that it may have been previously compromised by this threat actor. We noticed a different system in the same situation, as well as the network connections to the subdomain trust[.]very SSL[.]org domain name. One of the rshell samples had center[.]very SSL[.]org like the C&C. Both results suggest that these victims could be compromised by both threat actors, or that Earth Berberoka is actually a subgroup of Iron Tiger. As a reminder, while investigating Earth Berberoka, we found several links to Iron Tiger which we detailed in our research.
Indicators of Compromise (IOC)
You can find the list of IOCs here.