A previously undocumented threat activity cluster, dubbed Earth Minotaur, actively leverages the MOONSHINE exploit kit and an unreported Android-cum-Windows backdoor called DarkNimbus to carry out long-term surveillance operations targeting Tibetans and Uyghurs.
“Earth Minotaur uses MOONSHINE to deliver the DarkNimbus backdoor to Android and Windows devices, targeting WeChat and possibly turning it into a cross-platform threat,” said Trend Micro researchers Joseph C. Chen and Daniel Lunghi in an analysis published.
“MOONSHINE exploits multiple known vulnerabilities in Chromium-based browsers and applications, urging users to update software regularly to block attacks.”
Earth Minotaur’s attacks affect countries including Australia, Belgium, Canada, France, Germany, India, Italy, Japan, Nepal, the Netherlands, Norway, Russia, Spain, Switzerland, Taiwan, Turkey, and the U.S.
MOONSHINE first surfaced in September 2019 during cyberattacks against the Tibetan community. The Citizen Lab attributed its use to an operator tracked as POISON CARP, which overlaps with threat groups Earth Empusa and Evil Eye.
As an Android-based exploit kit, MOONSHINE actively employs various Chrome browser exploits to deploy payloads designed to extract sensitive data from compromised devices. Notably, it includes code that targets several applications, such as Google Chrome, Naver, and instant messaging apps like LINE, QQ, WeChat, and Zalo, which embed an in-app browser.
According to Trend Micro, Earth Minotaur shows no direct connections to Earth Empusa. By primarily targeting Tibetan and Uyghur communities, the threat actor employs an upgraded version of MOONSHINE to infiltrate victim devices and infect them with DarkNimbus.
The new MOONSHINE variant expands its exploit arsenal by including CVE-2020-6418, a type confusion vulnerability in the V8 JavaScript engine that Google patched in February 2020 after it was weaponized as a zero-day.
Earth Minotaur crafts messages tailored for instant messaging apps to lure victims into clicking embedded malicious links,” the researchers said. “They impersonate various characters in chats to increase the effectiveness of their social engineering attacks.”
The fake links direct victims to one of at least 55 MOONSHINE exploit kit servers, which handle the installation of the DarkNimbus backdoor on the targeted devices.
To deceive victims, these URLs cleverly pose as benign links, often disguised as China-related announcements or online videos showcasing Tibetan or Uyghur music and dances.
“When victims click on an attack link and land on the exploit kit server, the server reacts according to its embedded settings,” Trend Micro said. “After completing the attack, the server redirects victims to the disguised legitimate link to prevent them from detecting any suspicious activity.”
When the Chromium-based Tencent browser proves invulnerable to any exploits supported by MOONSHINE, the kit server delivers a phishing page designed to trick WeChat users. It alerts them that the in-app browser (a customized version of Android WebView called XWalk) is outdated and requires an update via a provided download link.
This tactic triggers a browser engine downgrade attack, enabling the threat actor to exploit unpatched vulnerabilities through the MOONSHINE framework.
A successful attack implants a trojanized version of XWalk onto the Android device, replacing its legitimate counterpart within the WeChat app. This replacement facilitates the execution of DarkNimbus.
First developed in 2018 and actively updated since then, the DarkNimbus backdoor uses the XMPP protocol to communicate with an attacker-controlled server. It supports a wide range of commands to exfiltrate valuable data, including device metadata, screenshots, browser bookmarks, call history, contacts, SMS messages, geolocation, files, clipboard content, and a list of installed apps.
DarkNimbus also executes shell commands, records phone calls, takes pictures, and exploits Android’s accessibility services permissions to capture messages from platforms such as DingTalk, MOMO, QQ, Skype, TalkBox, Voxer, WeChat, and WhatsApp. Finally, it can uninstall itself from the infected device.
Trend Micro identified a Windows version of DarkNimbus, likely created between July and October 2019, but first deployed over a year later in December 2020.
While it lacks many features of its Android counterpart, the Windows variant includes a range of commands to collect system information, retrieve the list of installed apps, capture keystrokes, access clipboard data, and extract saved credentials and browsing history. It also enables the reading and uploading of file content.
Although the origins of Earth Minotaur remain unclear, the diversity of its infection chains and the sophistication of its malware tools confirm it as a highly capable threat actor.
“MOONSHINE is a toolkit still under development and has been shared with multiple threat actors, including Earth Minotaur, POISON CARP, UNC5221, and others,” Trend Micro theorized.
Source: TheHackerNews
