Duplicated previously undocumented threat cluster Land of the Minotaur uses the MOONSHINE exploit suite and an unregistered Android and Windows backdoor called DarkNimbus to facilitate long-term surveillance operations against Tibetans and Uighurs.
“Earth Minotaur uses MOONSHINE to deliver the DarkNimbus backdoor to Android and Windows devices, targeting WeChat and potentially making it a cross-platform threat,” Trend Micro researchers Joseph Chen and Daniel Lungi said in an analysis published today.
“MOONSHINE exploits many known vulnerabilities in Chromium-based browsers and applications, requiring users to regularly update their software to prevent attacks.”
Countries affected by Earth Minotaur attacks include Australia, Belgium, Canada, France, Germany, India, Italy, Japan, Nepal, Netherlands, Norway, Russia, Spain, Switzerland, Taiwan, Turkey, and the United States
Moonshine was born for the first time in September 2019 cyber attacks targeting the Tibetan community, Citizen Lab attributes their use to an operator it tracks under the pseudonym CARP POISONwhich intersects with threat groups Land of Empus and Wicked Eyes.
An Android-based exploit suite that is known to use various Chrome browser exploits to deploy payloads that can siphon sensitive data from compromised devices. In particular, it includes code for various applications such as Google Chrome, Naver, and instant messaging programs such as LINE, QQ, WeChat, and Zalo, which embed a browser within the application.
Minotaur Earth, according to Trend Micro, has no direct connection to Empus Earth. A threat actor mainly targeting the Tibetan and Uyghur communities was found to be using an upgraded version of MOONSHINE to infiltrate victims’ devices and then infect them with DarkNimbus.
The new variant adds to the arsenal of exploits CVE-2020-6418type confusion vulnerability in the V8 JavaScript engine, which Google patched in February 2020 after reports that it was a zero-day weapon.
“Earth Minotaur sends carefully crafted messages via instant messaging programs to encourage victims to click on an embedded malicious link,” the researchers said. “They masquerade as different personas in chat rooms to increase the success of their social engineering attacks.”
The fake links lead to one of at least 55 MOONSHINE exploit servers that install the DarkNimbus backdoor on target devices.
In a clever attempt at deception, these URLs are masquerading as seemingly innocuous links, displaying ads related to China or related to online videos of Tibetan or Uyghur music and dance.
“When the victim clicks on the attack link and is redirected to the exploit server, it responds based on built-in settings,” Trend Micro said. “The server will redirect the victim to a disguised legitimate link once the attack is over so that the victim does not notice any unusual activity.”
In situations where Tencent’s Chromium-based browser is not susceptible to any of the exploits supported by MOONSHINE, the kit’s server is configured to return a phishing page that warns the WeChat user that the browser is in the program (and custom version Android WebView is called XWalk) is outdated and needs to be updated by clicking on the download link provided.
This leads to a browser engine downgrade attack that allows a threat actor to take advantage of the MOONSHINE platform by exploiting unpatched security flaws.
A successful attack results in a trojan version of XWalk being implanted on an Android device and replacing its legitimate counterpart in the WeChat app, eventually paving the way for DarkNimbus to execute.
The backdoor is believed to have been developed and has been actively updated since 2018, uses the XMPP protocol to communicate with a server controlled by the attacker, and supports an exhaustive list of commands to convert valuable information, including device metadata, screenshots, browser bookmarks, phone call history, contacts , SMS messages, geolocation, files, clipboard contents and list of installed programs.
It is also capable of executing shell commands, recording phone calls, taking photos, and abusing Android accessibility services permissions to collect messages from DingTalk, MOMO, QQ, Skype, TalkBox, Voxer, WeChat, and WhatsApp. Last but not least, it can remove itself from the infected phone.
Trend Micro said it also discovered a version of DarkNimbus for Windows that was likely created between July and October 2019, but was only used more than a year later in December 2020.
It lacks many features of its Android variant, but includes a wide range of commands to collect system information, list of installed programs, keystrokes, clipboard data, saved credentials and history from web browsers, and to read and download file contents.
While the exact origin of Earth Minotaur is currently unclear, the variety of observed infection chains combined with highly effective malware tools leave no doubt that it is a sophisticated threat.
“MOONSHINE is a toolkit that is still under development and has been shared by many threat actors, including Earth Minotaur, POISON CARP, UNC5221and others,” Trend Micro theorizes.
