Luckymouse Takes aim at Windows, Linux Systems via Mimi Chat App

According to an advisory published by Trend Micro, the Luckymouse threat actor is said to have compromised the cross-platform messaging app MiMi to install backdoors on Windows, macOS and Linux.

Trend Micro explained that the attacker, who also identifies as Emissary Panda, APT27 and Bronze Union, modifies installer files and uses the armed version of the chat platform MiMi to install remote access trojan samples.

After modifying installer files, Luckymouse would download the weaponized version of MiMi and install remote access trojan (RAT) HyperBro samples for the Windows operating system and a Mach-O binary called “rshell” for Linux and macOS.

“While this was not the first time the technique was used, this latest development shows Iron Tiger’s interest in compromising victims using the three major platforms: Windows, Linux and macOS. While we were unable to identify all the targets, these targeting demographics demonstrate a geographical region of interest. Among those targets, we could only identify one of them, a Taiwanese gaming development company,” Trend Micro Advisory states.

In a separate advisory published by the security firm SEKOIA, the Luckymouse MiMi attack was attributed to Chinese actors.

“As this application’s use in China appears low, it is plausible it was developed as a targeted surveillance tool. It is also likely that, following social engineering carried out by the operator’s, targeted users are encouraged to download this application, purportedly to circumvent Chinese authorities’ censorship,” SEKOIA explained in its advisory.

The sources for this piece include an article in OODALOOP.