A recent cyber-threat operation has been uncovered, targeting vulnerabilities in the widely used WeChat app to deliver previously undetected spyware to Android and Windows devices belonging to the Tibetan and Uyghur ethnic-minority communities within China. This operation, carried out by a group known as Earth Minotaur, utilizes the Moonshine exploit kit to deploy a backdoor known as DarkNimbus. The DarkNimbus malware is capable of stealing data and monitoring device activity, as revealed by researchers at Trend Micro in a blog post released today. While Moonshine is typically used to exploit vulnerabilities in instant messaging apps on Android devices, this latest version has been equipped with newer vulnerabilities and additional protections to hinder security researchers’ analysis efforts.
The attacks initiated by Earth Minotaur involve sending carefully crafted messages to victims, enticing them to click on embedded malicious links. These messages are typically designed to appear as government announcements, Chinese news topics like COVID-19 or stories related to Tibetans and Uyghurs, or Chinese travel information. The attackers go to great lengths to disguise themselves as various characters in chats to enhance the success rate of their social engineering attacks.
The main payload of this cyber operation, DarkNimbus, is a comprehensive Android surveillance tool that gathers basic device information, app data, and geolocation details. It proceeds to collect personal information such as contact lists, phone call records, SMS messages, clipboard content, browser bookmarks, and conversations from different messaging apps. DarkNimbus can also record calls, capture photos and screenshots, monitor file operations, and execute various commands, providing the attackers with extensive control over the infected device.
Earth Minotaur represents a new threat actor in the cybersecurity landscape, although they are not the first group to employ the Moonshine toolkit. In a previous report from 2019, a threat actor named Poison Carp was associated with the Moonshine exploit kit. However, researchers have not identified any direct links between Earth Minotaur and Poison Carp, indicating that they are separate entities. The backdoor DarkNimbus was developed in 2018 but was not observed in any prior activities of Poison Carp, establishing a distinction between the two intrusion sets. Presently, there are at least 55 active Moonshine exploit kits utilized by threat actors in various cyber operations.
The Moonshine exploit kit was initially detected in a malicious campaign targeting the Tibetan community and has also been linked to past malicious activities against Uyghurs. Both these ethnic minority groups in China face discriminatory practices and surveillance by the Chinese government, making them prime targets for Earth Minotaur’s cyber operations. While Earth Minotaur is suspected to be an advanced persistent threat (APT) group backed by China, conclusive evidence supporting this claim is currently lacking.
The tactics employed by Earth Minotaur and its use of the Moonshine toolkit bear resemblances to two previous threat campaigns. One such campaign in 2002 involved the distribution of an Android malware called BadBazaar alongside Moonshine through Uyghur-language websites and social media platforms. BadBazaar resurfaced later in broader attacks against users in multiple countries, delivering the malware through Trojanized versions of the Signal and Telegram messaging apps, similar to the modus operandi of Earth Minotaur.
To safeguard against such cyber threats, Trend Micro recommends exercising caution when clicking on links in suspicious messages, as these could lead to malicious servers compromising devices. Regularly updating applications to the latest versions is also crucial, as Moonshine capitalizes on software vulnerabilities to carry out its malicious activities. These updates provide essential security enhancements to mitigate known vulnerabilities and fortify defenses against cyber attacks.