'Earth Minotaur' Exploits WeChat Bugs, Sends Spyware to Uyghurs

A newly identified cyber-threat operation is using a known exploit kit to target security vulnerabilities in the popular WeChat app, to deliver previously unreported spyware to both Android and Windows devices belonging to the Tibetan and Uyghur ethnic-minority communities in China.

A group that researchers at Trend Micro are tracking as Earth Minotaur is wielding the Moonshine exploit kit, which first surfaced in 2019, to deliver a backdoor called DarkNimbus. The malware can steal data and monitor device activity, they revealed in a blog post published today, while Moonshine typically targets vulnerabilities in instant messaging apps on Android devices to deliver the malware. It also exploits multiple known vulnerabilities in Chromium-based browsers. The latest version of the kit discovered by Trend Micro has been upgraded with "newer vulnerabilities and more protections to deter analysis of security researchers," the researchers wrote.

The attacks begin as carefully crafted messages aiming to lure victims into clicking on an embedded malicious link, which typically claims to be related to government announcements; relevant Chinese news topics, such as COVID-19, religion, or stories about Tibetans or Uyghurs; or Chinese travel information. Attackers "disguise themselves as different characters on chats to increase the success of their social engineering attacks," the researchers wrote.

Related:Governments, Telcos Ward Off China's Hacking Typhoons

The ultimate payload, DarkNimbus, is "a comprehensive Android surveillance tool" that starts by collecting basic information from the infected device, installed apps, and geolocation systems. It goes on to steal personal information, including contact lists, phone call records, SMS, clipboard content, browser bookmarks, and conversations from multiple messaging apps. DarkNimbus also can record calls, take photos and screenshots, file operations, and execute commands, the researchers added.

Novel Cyberattack Actor, Familiar Tools & Targets

The researchers believe Earth Minotaur is a new threat actor, though the group isn't the first to use the Moonshine toolkit, they wrote.

"In the first report of Moonshine exploit kit in 2019, the threat actor using the toolkit was named Poison Carp," according to the post. However, the researchers did not find connections between Earth Minotaur and that group, they said.

"The backdoor DarkNimbus had been developed in 2018 but was not found in any of Poison Carp's previous activity," the researchers wrote. "Therefore, we categorize them as two different intrusion sets." At this time, there are at least 55 Moonshine exploit kits being actively used by threat actors in the wild, they said.

Related:'Termite' Ransomware Likely Behind Cleo Zero-Day Attacks

Moonshine was first discovered as part of a malicious campaign against the Tibetan community, and it's also associated with previous malicious activity against Uyghurs. Both groups are ethic minorities in China that face discrimination and surveillance by the Chinese government, and both are the key targets of Earth Minotaur, the researchers said. While it's likely the group is an advanced persistent threat (APT) backed by China, the researchers did not have enough evidence to make a definitive connection, they said.

Defending Against Persistent Threats

Earth Minotaur's activities and use of Moonshine share similarities with two previously identified threat campaigns. One, identified in 2002, spread an Android malware called BadBazaar along with Moonshine via Uyghur-language sites and social media.

BadBazaar then resurfaced later in broader attacks against users in several countries that delivered the malware via Trojanized versions of the Signal and Telegram messaging apps, in an attack vector similar to the one Earth Minotaur was seen employing.

To prevent similar attacks, Trend Micro suggested some basics. One, that people exercise caution when clicking on links embedded on suspicious messages, "as these may lead to malicious servers like those of Moonshine compromising their devices," the researchers wrote.

Related:Scottish Parliament TV at Risk From Deepfakes

They also recommended regularly updating applications to the latest versions, as Moonshine takes advantage of flaws to conduct its malicious activities.

"These updates offer essential security improvements to protect against known vulnerabilities," the researchers wrote.