MOONSHINE Kit Exploiting Android Messaging Apps Flaw To Inject Backdoor


A sophisticated exploit kit named MOONSHINE has been actively targeting Android messaging apps to implant backdoors on users’ devices.

This toolkit, under continuous monitoring since 2019, has recently been found to have an upgraded version with enhanced capabilities and protections against security analysis.

Earth Minotaur, the threat actor behind these attacks, primarily targets Tibetan and Uyghur communities. Their modus operandi involves:-

  1. Sending crafted messages via instant messaging apps
  2. Enticing victims to click on embedded malicious links
  3. Redirecting victims to MOONSHINE exploit kit servers
  4. Installing a cross-platform backdoor called DarkNimbus
Attack chain of Earth Minotaur (Source – Trend Micro)

Security experts at Trend Micro observed that the attack links are disguised as legitimate content, including government announcements, COVID-19 news, religious information, and travel updates.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Technical Analysis

The upgraded MOONSHINE kit employs several sophisticated techniques:-

  • Pre-configured attack links: Each link contains encoded information about a masqueraded legitimate link, timestamp, and tag
  • Browser version verification: Exploits are only delivered to vulnerable versions of targeted apps
  • Multiple Chromium exploits: Targets various versions of Chromium and Tencent Browser Server (TBS)
  • Phishing for downgrade: Attempts to trick users into downgrading their browser engine to a vulnerable version

The kit can target multiple Android applications, including WeChat, Facebook, Line, and QQ.

Validation flow of the MOONSHINE exploit kit (Source – Trend Micro)

The primary payload of the MOONSHINE kit is the DarkNimbus backdoor, which has both Android and Windows versions:-

Android Version Features:-

  • Collects device information, installed apps, and geolocation data
  • Steals personal information from contact lists, call records, and messaging apps
  • Supports call recording, photo capture, and screen recording
  • Abuses Android’s Accessibility Service to monitor conversations in messaging apps

Windows Version Features:-

  • Collects host information, installed applications, and browsing history
  • Captures screenshots and keystrokes
  • Steals browser credentials and clipboard data
  • Executes shell commands

Both versions use similar command structures and communicate with command and control (C&C) servers for data exfiltration and receiving instructions.

While Earth Minotaur is believed to be a distinct threat actor, the MOONSHINE exploit kit has been linked to multiple Chinese operations:-

  • POISON CARP: Previously associated with MOONSHINE, but distinct from Earth Minotaur
  • UNC5221: Used a MOONSHINE server in a recent Ivanti zero-day attack
  • Possible connections to APT41 and Winnti group, based on shared malware characteristics

The widespread use of MOONSHINE and related tools among Chinese threat actors suggests a complex ecosystem of shared resources and techniques in cyber espionage operations.

To protect against such attacks, users should exercise caution when clicking on links in suspicious messages and keep their applications updated to the latest versions to mitigate known vulnerabilities.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses



Source link