A sophisticated exploit kit known as MOONSHINE has emerged as a significant threat, specifically targeting Android messaging applications to implant backdoors into users’ devices. This toolkit has been under continuous scrutiny since 2019, and recent findings indicate an upgraded version that boasts enhanced capabilities and improved defenses against security analysis.
The entity behind these attacks, identified as Earth Minotaur, primarily focuses on the Tibetan and Uyghur communities. Their methodical approach includes:
- Distributing crafted messages through instant messaging platforms
- Encouraging victims to click on embedded malicious links
- Redirecting victims to servers hosting the MOONSHINE exploit kit
- Installing a cross-platform backdoor known as DarkNimbus
Security analysts at Trend Micro have noted that the attack links are cleverly disguised as legitimate content, encompassing government announcements, COVID-19 updates, religious information, and travel advisories.
Free Webinar on Best Practices for API Vulnerability & Penetration Testing: Free Registration
Technical Analysis
The upgraded MOONSHINE kit employs a range of sophisticated techniques:
- Pre-configured attack links: Each link is embedded with encoded data about a legitimate link, timestamp, and tag.
- Browser version verification: Exploits are selectively delivered to vulnerable versions of targeted applications.
- Multiple Chromium exploits: The kit targets various iterations of Chromium and Tencent Browser Server (TBS).
- Phishing for downgrade: Attempts to deceive users into reverting their browser engine to a susceptible version.
MOONSHINE is capable of targeting a variety of Android applications, including WeChat, Facebook, Line, and QQ.
The primary payload delivered by the MOONSHINE kit is the DarkNimbus backdoor, which is available in both Android and Windows versions:
Android Version Features:
- Gathers device information, installed applications, and geolocation data.
- Extracts personal information from contact lists, call records, and messaging apps.
- Facilitates call recording, photo capture, and screen recording.
- Exploits Android’s Accessibility Service to monitor conversations within messaging applications.
Windows Version Features:
- Collects host information, installed applications, and browsing history.
- Captures screenshots and keystrokes.
- Steals browser credentials and clipboard data.
- Executes shell commands.
Both versions utilize similar command structures and maintain communication with command and control (C&C) servers for data exfiltration and instruction receipt.
While Earth Minotaur is recognized as a distinct threat actor, the MOONSHINE exploit kit has been associated with several Chinese operations:
- POISON CARP: Previously linked to MOONSHINE but operates independently of Earth Minotaur.
- UNC5221: Utilized a MOONSHINE server in a recent Ivanti zero-day attack.
- Potential connections to APT41 and the Winnti group, based on shared malware characteristics.
The prevalent use of MOONSHINE and similar tools among Chinese threat actors indicates a complex ecosystem characterized by shared resources and techniques in cyber espionage operations.
To safeguard against such threats, users are advised to exercise caution when engaging with links in suspicious messages and to ensure their applications are updated to the latest versions to mitigate known vulnerabilities.
Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses
