Earth Minotaur Threat Group Targets Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor

December 5, 2024

A newly identified threat activity cluster, Earth Minotaur, is using the MOONSHINE exploit kit and an unreported Android-Windows backdoor, DarkNimbus, to conduct long-term surveillance operations against Uyghurs and Tibetans. Joseph C Chen and Daniel Lunghi, researchers at Trend Micro, revealed that Earth Minotaur uses MOONSHINE to deliver the DarkNimbus backdoor to Android and Windows devices, specifically targeting WeChat, thus potentially making it a cross-platform threat. MOONSHINE exploits multiple known vulnerabilities in Chromium-based browsers and applications, necessitating regular software updates to fend off attacks.

The threat activity has been detected across a range of countries including Australia, Belgium, Canada, France, Germany, India, Italy, Japan, Nepal, the Netherlands, Norway, Russia, Spain, Switzerland, Taiwan, Turkey, and the U.S. The MOONSHINE exploit kit was first identified in September 2019 during cyber attacks aimed at the Tibetan community. The Citizen Lab attributed its use to an operator it monitors under the name POISON CARP, which overlaps with threat groups Earth Empusa and Evil Eye.

MOONSHINE, an Android-based exploit kit, is known to utilize various Chrome browser exploits to deploy payloads that can extract sensitive data from compromised devices. It specifically targets several applications like Google Chrome, Naver, and instant messaging apps like LINE, QQ, WeChat, and Zalo. According to Trend Micro, Earth Minotaur has no direct connections to Earth Empusa.

The threat actor primarily targets Tibetan and Uyghur communities, using an upgraded version of MOONSHINE to infiltrate victim devices and subsequently infect them with DarkNimbus. The new variant includes the CVE-2020-6418 exploit, a type confusion vulnerability in the V8 JavaScript engine that Google patched in February 2020 after reports of it being weaponized as a zero-day.

Earth Minotaur employs carefully crafted messages via instant messaging apps to entice victims to click an embedded malicious link. The researchers said, "They disguise themselves as different characters on chats to increase the success of their social engineering attacks." The deceptive links lead to one of at least 55 MOONSHINE exploit kit servers that handle the installation of the DarkNimbus backdoor on the target's devices. These URLs masquerade as harmless links, often pretending to be China-related announcements or related to online videos of Tibetans' or Uyghurs' music and dances.

According to Trend Micro, when a victim clicks on an attack link and is redirected to the exploit kit server, it reacts based on the embedded settings. The server redirects the victim to the masqueraded legitimate link once the attack is over to prevent the victim from noticing any unusual activity.

In cases where the Chromium-based Tencent browser is not vulnerable to any of the exploits supported by MOONSHINE, the kit server returns a phishing page that alerts the WeChat user that the in-app browser is out of date and needs to be updated. This results in a browser engine downgrade attack, allowing the threat actor to exploit the unpatched security flaws using the MOONSHINE framework. A successful attack results in a trojanized version of XWalk being implanted on the Android device and replacing its legitimate counterpart within the WeChat app, ultimately paving the way for the execution of DarkNimbus.

Trend Micro also detected a Windows version of DarkNimbus that was likely developed between July and October 2019 but only used more than a year later in December 2020. Although it lacks many of the features of its Android variant, it incorporates a wide range of commands to gather system information, the list of installed apps, keystrokes, clipboard data, saved credentials and history from web browsers, as well as read and upload file content.

The exact origins of Earth Minotaur are presently unclear, but the diversity in the observed infection chains combined with highly capable malware tools leaves no doubt that this is a sophisticated threat actor. Trend Micro theorized, "MOONSHINE is a toolkit that is still under development and has been shared with multiple threat actors including Earth Minotaur, POISON CARP, UNC5221, and others."

Latest News

• Mitel MiCollab Collaboration Platform Faces Unresolved Zero-Day Vulnerability
• Japan's CERT Issues Warning on Zero-Day Vulnerabilities in IO-Data Routers
• Veeam Addresses Critical Remote Code Execution Vulnerability in Service Provider Console
• The 'White FAANG' Data Export Attack: Unveiling PII Threats
• Cisco Alerts Users About Active Exploitation of Old ASA WebVPN Security Flaw