A covert cyber threat group identified as Earth Minotaur is utilizing the MOONSHINE exploit toolkit in conjunction with a newly discovered backdoor dubbed DarkNimbus to conduct targeted surveillance activities against Tibetan and Uyghur communities.

MOONSHINE Exploit Kit

Initially detected in September 2019 targeting the Tibetan community, MOONSHINE uses vulnerabilities in Chromium-based browsers to deploy malicious payloads.

DarkNimbus Backdoor

An advanced cross-platform threat that affects both Android and Windows, capable of exfiltrating sensitive data.

Details of the Campaign

Earth Minotaur focuses on exploiting well-known vulnerabilities, particularly CVE-2020-6418, a flaw in the V8 JavaScript engine patched in February 2020. The group employs sophisticated social engineering tactics via instant messaging apps to trick users into clicking on harmful links that lead to MOONSHINE servers. Once redirected, the exploit servers install the DarkNimbus backdoor, which then covertly gathers extensive user information.

Global Impact

The campaign has made its presence felt across multiple nations, including the U.S., Canada, European countries, Australia, India, and others.

Android Devices

The backdoor replaces legitimate app components within WeChat through exploit chain attacks, using a method called a browser engine downgrade.

Android Capabilities

It leverages the XMPP protocol for communication and is equipped to access contact lists, SMS, call logs, geolocation data, and more. Additional capabilities include executing shell commands and recording ambient audio.

Windows Devices

The Windows variant of DarkNimbus, lacking some of its Android counterpart’s features, still manages to harvest comprehensive system data.

Implications

Though Earth Minotaur's origins remain enigmatic, their operations demonstrate a high level of sophistication. The sharing and development of MOONSHINE among various threat actors indicate a well-organized threat landscape. By understanding the tactics employed by groups like Earth Minotaur, cybersecurity professionals and organizations can better prepare to defend against these advanced threats.

The link has been copied!