Iron Tiger’s operation against Mimi chat installers shows a supply chain compromise delivering HyperBro on Windows and rshell on macOS/Linux across multiple targets. The campaign spans three major platforms, uses code obfuscation, and establishes C2 communications, with links to Earth Berberoka and the Reptile rootkit infrastructure. hashtags: #IronTiger #EmissaryPanda #APT27 #BronzeUnion #Luckymouse #Mimi #HyperBro #rshell #EarthBerberoka #ReptileRootkit #DESlock+ #CheetahMobile
Keypoints
- Iron Tiger compromised Mimi’s installers, enabling a supply chain attack that delivered backdoors.
- The operation targets Windows, macOS, and Linux, with 13 identified targets in Taiwan and the Philippines.
- Malicious code was injected into legitimate installers by modifying electron-main.js, using obfuscated JavaScript packaged with a Dean Edwards packer.
- DLL side-loading was used to load malware via the DESlock+ legitimate executable, with files dropped into a temp directory.
- The rshell backdoor (macOS/Linux) collects OS information and communicates with C2 using BSON over unencrypted TCP, with keepalive messages and shell/file commands.
- Mac users faced Gatekeeper warnings and unsigned installers; bypass relied on manual Security & Privacy actions to run the trojanized DMG.
- The campaign shows links to Earth Berberoka and the Reptile rootkit, and uses modular infrastructure including trust.veryssl.org/center.veryssl.org domains and related IPs.
MITRE Techniques
- [T1195] Supply Chain Compromise – The attackers compromised the Mimi installers’ hosting environment to deliver malicious payloads for Windows and macOS. ‘We found Iron Tiger controlling the servers hosting the app installers of MiMi, suggesting a supply chain attack.’
- [T1574.001] Hijack Execution Flow – DLL Search Order Hijacking – The attackers loaded files via DLL side-loading into legitimate, usually signed executables (DESlock+ product). ‘This is the typical way that this threat actor loads its files, exploiting DLL side-loading vulnerabilities in legitimate and usually signed executables.’
- [T1027] Obfuscated/Compressed Files and Information – The inserted code in electron-main.js is obfuscated with a Dean Edwards packer. ‘beginning with “eval(function(p,a,c,k,e,d)”…Dean Edwards packer.’
- [T1105] Ingress Tool Transfer – The macOS rshell payload is downloaded and executed from a remote host. ‘the inserted code downloads rshell from the IP address 139[.]180[.]216[.]65 and executes it once run on the macOS platform.’
- [T1082] System Information Discovery – The rshell backdoor collects and sends OS information such as GUID, computer name, IP addresses, username, and version. ‘The OS information collection routine gathers the following information: GUID… computer name… IP addresses… username… version.’
- [T1041] Exfiltration Over Unencrypted Channel – Collected data is packed in BSON and sent to the C2 in clear text. ‘packs them into a Binary JSON (BSON) message and sends it over TCP to the C&C in clear (unencrypted) form.’
- [T1116] Code Signing – The HyperBro/dlpprem32.dll is Authenticode-signed by a revoked certificate belonging to Cheetah Mobile Inc., illustrating misuse of code signing. ‘Authente d code signature of dlpprem32.dll… signed by a (now) revoked certificate belonging to “Cheetah Mobile Inc.”.’
Indicators of Compromise
- [IP address] – Delivery and C2 endpoints: 139.180.216.65 (macOS rshell download), 45.142.214.193 (C2), and 138.124.180.108 (C2).
- [Domain] – Infrastructure domains used for C2 or staging: trust.veryssl.org, center.veryssl.org, nbaya0u1.example.com, nbaya0u2.example.com.
- [File name] – Dropped/injected files: electron-main.js, 2.3.2.dmg, 2.2.0.exe, and 1 more file (e.g., dlpprem32.dll).
- [Malware] – Backdoors: HyperBro (Windows), rshell (macOS/Linux).
- [Digital certificate] – Revoked code signing certificate artifacts tied to Cheetah Mobile Inc. (dlpprem32.dll).