A previously undocumented threat activity cluster dubbed Earth Minotaur is leveraging the MOONSHINE exploit kit and an unreported Android-cum-Windows backdoor called DarkNimbus to facilitate long-term surveillance operations targeting Tibetans and Uyghurs.
“Earth Minotaur uses MOONSHINE to deliver the DarkNimbus backdoor to Android and Windows devices, targeting WeChat, and possibly making it a cross-platform threat,” Trend Micro researchers Joseph C Chen and Daniel Lunghi said in an analysis published today.
“MOONSHINE exploits multiple known vulnerabilities in Chromium-based browsers and applications, requiring users to update software regularly to prevent attacks.”
Countries affected by Earth Minotaur’s attacks span Australia, Belgium, Canada, France, Germany, India, Italy, Japan, Nepal, the Netherlands, Norway, Russia, Spain, Switzerland, Taiwan, Turkey, and the U.S.
MOONSHINE first came to light in September 2019 as part of cyber attacks targeting the Tibetan community, with the Citizen Lab attributing its use to an operator it tracks under the moniker POISON CARP, which overlaps with threat groups Earth Empusa and Evil Eye.
An Android-based exploit kit, it’s known to make use of various Chrome browser exploits with an aim to deploy payloads that can siphon sensitive data from compromised devices. Particularly, it incorporates code to target various applications like Google Chrome, Naver, and instant messaging apps like LINE, QQ, WeChat, and Zalo that embed an in-app browser.
Earth Minotaur, per Trend Micro, has no direct connections to Earth Empusa. Primarily targeting Tibetan and Uyghur communities, the threat actor has been found to use an upgraded version of MOONSHINE to infiltrate victim devices and subsequently infect them with DarkNimbus.
The new variant adds to its exploit arsenal CVE-2020-6418, a type confusion vulnerability in the V8 JavaScript engine that Google patched in February 2020 following reports that it had been weaponized as a zero-day.
“Earth Minotaur sends carefully crafted messages via instant messaging apps to entice victims to click an embedded malicious link,” the researchers said. “They disguise themselves as different characters on chats to increase the success of their social engineering attacks.”
The phony links lead to one of at least 55 MOONSHINE exploit kit servers that take care of installing the DarkNimbus backdoor on the target’s devices.
In a clever attempt at deception, these URLs masquerade as seemingly innocuous links, pretending to be China-related announcements or those related to online videos of Tibetans’ or Uyghurs’ music and dances.
“When a victim clicks on an attack link and is redirected to the exploit kit server, it reacts based on the embedded settings,” Trend Micro said. “The server will redirect the victim to the masqueraded legitimate link once the attack is over to keep the victim from noticing any unusual activity.”
In situations where the Chromium-based Tencent browser is not susceptible to any of the exploits supported by MOONSHINE, the kit server is configured to return a phishing page that alerts the WeChat user that the in-app browser (a custom version of Android WebView called XWalk) is out of date and needs to be updated by clicking on a provided download link.
This results in a browser engine downgrade attack, thereby allowing the threat actor to take advantage of the MOONSHINE framework by exploiting the unpatched security flaws.
A successful attack causes a trojanized version of XWalk to be implanted on the Android device and replace its legitimate counterpart within the WeChat app, ultimately paving the way for the execution of DarkNimbus.
Believed to have been developed and actively updated since 2018, the backdoor uses the XMPP protocol to communicate with an attacker-controlled server and supports an exhaustive list of commands to hoover valuable information, including device metadata, screenshots, browser bookmarks, phone call history, contacts, SMS messages, geolocation, files, clipboard content, and a list of installed apps.
It’s also capable of executing shell commands, recording phone calls, taking pictures, and abusing Android’s accessibility services permissions to collect messages from DingTalk, MOMO, QQ, Skype, TalkBox, Voxer, WeChat, and WhatsApp. Last but not least, it can uninstall itself from the infected phone.
Trend Micro said it also detected a Windows version of DarkNimbus that was likely put together between July and October 2019 but only used more than a year later in December 2020.
It lacks many of the features of its Android variant, but incorporates a wide range of commands to gather system information, the list of installed apps, keystrokes, clipboard data, saved credentials and history from web browsers, as well as read and upload file content.
Even though the exact origins of Earth Minotaur are presently unclear, the diversity in the observed infection chains combined with highly capable malware tools leaves no doubt that this is a sophisticated threat actor.
“MOONSHINE is a toolkit that is still under development and has been shared with multiple threat actors including Earth Minotaur, POISON CARP, UNC5221, and others,” Trend Micro theorized.
