One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8620355 |
| Date de publication | 2024-12-05 23:21:01 (vue: 2024-12-06 00:09:15) |
| Titre | MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur\'s Multi-Platform Attacks |
| Texte | ## Snapshot Researchers at Trend Micro have released a report detailing the activities of Earth Minotaur, an unattributed intrusion set with connections to prior Chinese operations. ## Description Earth Minotaur employs the MOONSHINE exploit kit, a sophisticated framework targeting vulnerabilities in Android instant messaging apps, including WeChat. MOONSHINE, active since 2019 and now operating on over 55 identified servers, has been upgraded to include new exploits and features, such as enhanced evasion techniques. Earth Minotaur uses MOONSHINE to deliver a cross-platform backdoor called DarkNimbus, which enables extensive surveillance on Android and Windows devices. According to Trend Micro, the attacks primarily target Tibetan and Uyghur communities, exploiting Chromium-based browser vulnerabilities (e.g., [CVE-2020-6418](https://security.microsoft.com/intel-explorer/cves/CVE-2020-6418/), [CVE-2018-17480](https://security.microsoft.com/intel-explorer/cves/CVE-2018-17480/), and [CVE-2018-17463](https://security.microsoft.com/intel-explorer/cves/CVE-2018-17463/), among others) within instant messaging apps to implant malicious code. Social engineering tactics are a key part of the Earth Minotaur\'s campaigns, as phishing links are disguised as Chinese travel information, government announcements, news related to religions, news related to Tibetans or Uyghurs, and news related to COVID-19. Once installed, DarkNimbus grants attackers access to device data, communications, and multimedia. Its Android variant leverages accessibility services for monitoring, while its Windows counterpart uses advanced command-and-control protocols. Trend Micro also highlights the likelihood of MOONSHINE being shared among multiple Chinese-linked threat actors, underscoring the evolving threat posed by such exploit frameworks. ## Microsoft Analysis and Additional OSINT Context Chinese-linked cyber actors have historically targeted Tibetan and Uyghur communities with sophisticated cyber-espionage campaigns. Groups like [Poison Carp](https://www.cfr.org/cyber-operations/poison-carp) and [Evasive Panda](https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/) have used malware-laden apps, phishing campaigns, and infected websites to infiltrate devices used by these groups. These campaigns can be longstanding. In September 2022, [Check Point Research reported](https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/) on a seven-year campaign by Scarlet Mimic to conduct espionage using Android malware against the Uyghur community. ## Recommendations - Only install applications from trusted sources and official stores. - If a device is no longer receiving updates, strongly consider replacing it with a new device. - Use mobile solutions such as [Microsoft Defender for Endpoint on Android](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide)to detect malicious applications - Always keep Install unknown apps disabled on the Android device to prevent apps from being installed from unknown sources. ## Detections/Hunting Queries ### Microsoft Defender Antivirus Microsoft Defender Antivirus detects threat components as the following malware: - [PUA:Win32/Kuping](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=PUA:Win32/Kuping) - [Trojan:Win32/Wacatac](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Wacatac.B!ml) - [TrojanSpy:Win32/Hanove](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Hanove!pz) - [Trojan:Win32/Vindor](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Vindor!pz) - [Trojan:Win32/ShadowPad](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 17463 17463/ 17480 17480/ 2018 2019 2020 2022 2024 2024** 365/security/defender 6418 6418/ access accessed accessibility according active activities actors additional advanced against all also always among analysis android announcements antivirus any applications apps apps disabled are as attackers attacks backdoor backdoor:win32/shadowpad based been being browser called campaign campaigns can carp cfr check checkpoint chinese chromium code com/2022/never com/en com/en/eset com/intel com/microsoft command communications communities community components conduct connections consider content context control copyright counterpart covid cross cve cyber darknimbus data defender deliver description detailing detect detections/hunting detects device devices disguised distribution earth employs enables enabling encyclopedia endpoint endpoint/microsoft engineering enhanced espionage evasion evasive evolving exploit exploiting exploits explorer/cves/cve extensive features festival following framework frameworks from government grants groups has have highlights historically html https://learn https://research https://security https://www identified implant include including infected infiltrate information install installed instant intrusion its keep install key kit laden left leverages like likelihood linked links longer longstanding malicious malware malware: messaging micro microsoft mimic mimics minotaur mobile monitoring monlam moonshine msr multi multimedia multiple name=backdoor:win32/shadowpad name=pua:win32/kuping name=trojan:win32/shadowpad name=trojan:win32/vindor name=trojan:win32/wacatac name=trojanspy:win32/hanove new news now official once only operating operations operations/poison org/cyber osint others over panda part permission phishing platform point poison posed prevent primarily prior prohibited protocols pua:win32/kuping queries receiving recommendations references related released religions replacing report reported reproduction research research/evasive researchers reserved rights scarlet september servers services set seven shared since site snapshot social solutions sophisticated sources stores strongly such surveillance tactics target targeted targeting techniques thereof these threat tibetan tibetans tibetans/ travel trend trendmicro trojan:win32/shadowpad trojan:win32/vindor trojan:win32/wacatac trojanspy:win32/hanove truly trusted unattributed underscoring unknown updates upgraded us/research/24/l/earth us/wdsi/threats/malware use used uses using uyghur uyghurs uyghurs/ variant view=o365 vulnerabilities websites wechat welivesecurity which windows within without worldwide written year years |
| Tags | Malware Vulnerability Threat Mobile Prediction |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.