July 2, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
ICS: Multiple Fuji Electric Products Vulnerabilities
December 9, 2024
Multiple SonicWall Products Vulnerabilities
December 9, 2024
ICS: Multiple Fuji Electric Products Vulnerabilities
December 9, 2024
Multiple SonicWall Products Vulnerabilities
December 9, 2024
Severity
High
Analysis Summary
The MOONSHINE exploit kit and an undisclosed Android-cum-Windows backdoor named DarkNimbus are being used by an as-yet-undocumented threat activity cluster known as Earth Minotaur to enable long-term monitoring operations against Tibetans and Uyghurs.
WeChat is the target of Earth Minotaur's DarkNimbus backdoor, which is delivered to Android and Windows devices via MOONSHINE and may pose a cross-platform threat. Users must upgrade software often to avoid attacks since MOONSHINE takes advantage of several known flaws in Chromium-based browsers and apps. Australia, Belgium, Canada, France, Germany, India, Italy, Japan, Nepal, the Netherlands, Norway, Russia, Spain, Switzerland, Taiwan, Turkey, and the United States are among the nations hit by Earth Minotaur's attacks.
Researchers attribute MOONSHINE's use to an operator it tracks under the POISON CARP alias, which overlaps with threat organizations Earth Empusa and Evil Eye. MOONSHINE was initially discovered in September 2019 as part of cyberattacks against the Tibetan community. This exploit kit, which is built on Android, is known to employ a variety of Chrome browser exploits to distribute payloads that can steal confidential information from affected devices. In particular, it includes code to target different programs that contain an in-app browser, such as Google Chrome, Naver, and instant messaging apps like LINE, QQ, WeChat, and Zalo.
According to researchers, Earth Empusa is not directly related to Earth Minotaur. The threat actor, which primarily targets Uyghur and Tibetan groups, has been discovered to infect victim devices with DarkNimbus after infiltrating them using an improved version of MOONSHINE. The latest version expands its attack set to include CVE-2020-6418, a type confusion flaw in the V8 JavaScript engine that Google fixed in February 2020 after it was discovered to have been leveraged as a zero-day vulnerability.
Using instant chat platforms, Earth Minotaur crafts carefully worded messages to trick victims into clicking on a malicious link that is contained. To make their social engineering attacks more successful, they pose as different people in chats. One of at least 55 MOONSHINE exploit kit servers, which handle installing the DarkNimbus backdoor on the target's devices, is reached via the bogus links.
In a shrewd attempt at deceit, these URLs pose as seemingly harmless links that lead to online recordings of Tibetan or Uyghur music and dances or announcements about China. The victim responds according to the embedded parameters when they click on an attack link and are taken to the exploit kit server. To prevent the victim from seeing any strange activity, the server will reroute them to the masqueraded valid link after the attack is over.
The kit server is set up to display a phishing page in cases where the Tencent browser, which is based on Chromium, is not vulnerable to any of the exploits that MOONSHINE supports. This page informs the WeChat user that the in-app browser, which is a customized version of Android WebView called XWalk, is outdated and requires updating by clicking on a provided download link. As a result, the threat actor can exploit the unpatched vulnerabilities in the MOONSHINE framework and launch a browser engine downgrade attack.
The implementation of DarkNimbus is made possible by a successful attack that implants a trojanized version of XWalk on the Android device and replaces its genuine counterpart in the WeChat app. The backdoor, which is thought to have been created and updated frequently since 2018, communicates with an attacker-controlled server via the XMPP protocol and supports a vast array of commands to retrieve important data, such as contacts, SMS messages, device metadata, screenshots, browser bookmarks, phone call history, files, clipboard content, geolocation, and a list of installed apps.
Additionally, it can run shell commands, record calls, take screenshots, and misuse the permissions granted by Android's accessibility services to gather messages from DingTalk, MOMO, QQ, Skype, TalkBox, Voxer, WeChat, and WhatsApp. Finally, it can remove itself from the compromised phone. More than a year later, in December 2020, researchers reported that they had also found a Windows version of DarkNimbus, which was probably assembled between July and October 2019.
Despite having fewer features than its Android counterpart, it includes a variety of commands to read and upload file content, collect system information, the list of installed programs, keystrokes, clipboard data, saved credentials, and web browser history. Although Earth Minotaur's precise origins are currently unknown, it is evident that this is a very skilled threat actor based on the variety of infection chains that have been seen and the extremely powerful malware tools.
Along with threat groups such as Earth Wendigo, Scarlet Mimic, Flea, EvilBamboo, and Evasive Panda, the newly identified threat group is the most recent addition to a long list of enemies that have attacked the Tibetan and Uyghur diaspora. The ongoing toolkit MOONSHINE has been distributed to several threat actors, such as Earth Minotaur, POISON CARP, UNC5221, and others.
Impact
- Unauthorized Access
- Code Execution
- Sensitive Data Theft
- Cyber Espionage
Indicators of Compromise
Domain Name
- news.tibetonline.info
- like.wechatpictureupload.com
- newsdomain.net
- server.img-bing.com
- www.leadtochanges.com
- ammffggo.com
IP
- 27.124.20.22
- 218.89.135.219
- 117.175.185.81
- 125.65.40.163
- 103.255.179.186
- 154.202.198.246
- 112.121.178.90
MD5
- 9c6f0178cec7ac5036803ce3e569c901
- 079c14eb237a32c2d7897e46a22fff7e
- dcd0fccb7e08a3d8d58e3f6ecd77475a
- 057f79b40be08049f2205357e2ab649a
- 5bd8a5ef2d51b23057b1ac3dd86ee16e
- e77a94d9797e329c1c007533adb02bd9
- 4af7438e75f03cbe9249b793b2e72976
- cfd2c2bf0d0bea1af660f25d93db2d77
- 5216b18151aca860f40d2e6e2574e897
- e05525d8c3560bf83f62da1aea6eb684
- cf4925b935c826ea18e2803e0ddc9bc7
- 68328a1814f16b648900fcebc425c547
- 23df343ad0b165d779764552b1e1777f
- 0ddd78208c16e9f8174868bdf92eac9b
- c0a25786959eae643c1189b8b0ee549d
SHA-256
- 1eaeb4558d5c4c67723c90f840b6f137517f4479e9fe8e1e874b18e9da754d4b
- 5af767c90035a88d9a4d329c24631de21ba0a9481e0e540e058c9cfa4709a7a2
- 5c9f525cd60132fa2960953d7a4ba18b1858116c239882554b0d5d43d704fc85
- d65ad9c034cdd188dd566bea220ed07c1ed5d0dd2ac61897c82589efac9e75c5
- f0b7f4a0e37708e4c767d529cbe35834ee3cff2b00a0c70d080d7f82924ad7ed
- 09de7f15b1fca9cf586294ced2217a29611f0d34d41622f46d89ea4e3cd63a2e
- 11d760f84bea10155cf16b8f3620914a818307f9ece614069509494914a8f8a2
- 154182453f425512010c68f351e09d3debd2f79b12f064b780c3d37809110fab
- 1b9ff9743b8aa4f9d3e151c5ab870137fe175240ce853c72a2dffea1a1172487
- 1defb8f7166f604640da5f2a913d69dd8c6ae14ea0bfe3cdfc1f1afcf96837cb
- 1f46a13af9ddc66a900fe2e9d717ca58ffd47c215741bca6fb5f3840f1bd9080
- 23ded8dd012bf6d51eda101abc85683759b1b5af9ea94cb54cfcc1a0da53642e
- 405c1bd8e829486625c9e5f5acf2a18fb17abe375ae87803e34aaae91646770e
- 244e22147cc1e37543159a95cf4674a61f290af305c1c1e37b69c45b444f9097
- c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854
SHA1
- b022829862a8edaae216908d32e0c802faad69f5
- e0ddaa8052421451442276b763c797f6fce0339f
- e222820be94c27b52f1f09773b22d8fd4011f334
- df08fa6fefccf6f00bf7d4a5b15e125eb14aecd6
- abe3477e5d5feb24ad89d6d2edb47ecee9cb93d6
- 7ebddf13bc241a7435af28eb68c09e0787472594
- a7a3a17c79d7c3ceabd0ed88994eb5b260ce1c52
- f1223d65e1efef9b03480c03c881a3701758e39e
- 8d59ef2071eace04067df09db5ebab7f38ac9ffd
- 98040f7b1a4125471507b60fb10965ff38f40623
- e55344c5bb4126ca8738d9b741dbfc1b078c4b1b
- 4fa2ae6fdfa089393cf3159e6e2062b6fdb8577a
- 516f338d0a2f63a85d076410fb436677969f5a68
- fa639e82ae481a70dffff2c50745ada660c93aa8
- 13dda1896509d5a27bce1e2b26fef51707c19503
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Ensure that all software, particularly those from third-party vendors, are obtained from trusted sources and that updates are obtained from the vendor’s official website or app store.
- Conduct regular security assessments and audits of all software, especially those that handle sensitive data, to detect any suspicious activities.
- Implement multi-factor authentication and strong password policies to prevent unauthorized access to sensitive systems and data.
- Train employees on best practices for identifying and reporting suspicious activities, such as phishing emails or unusual network traffic.
- Deploy endpoint protection solutions with advanced threat detection capabilities to identify and block any malicious activities.
- Implement network segmentation and access controls to limit the spread of malware in case of a successful attack.
- Monitor network traffic and system logs to detect any unusual or suspicious activities, such as unauthorized file transfers or unusual process execution.
- Develop an incident response plan that outlines the steps to be taken in case of a successful attack, including how to isolate and contain the affected systems and how to communicate with stakeholders, such as customers and regulatory bodies.