Trend Micro researchers have revealed a sophisticated cyber campaign by the threat actor Earth Minotaur, leveraging the MOONSHINE exploit kit and DarkNimbus backdoor to target vulnerabilities in Android messaging apps. These attacks, primarily aimed at Tibetan and Uyghur communities, exploit Chromium-based browsers embedded in instant messaging applications. By deploying MOONSHINE, Earth Minotaur delivers the cross-platform DarkNimbus backdoor to both Android and Windows devices, enabling surveillance and unauthorized access.
MOONSHINE, first identified in 2019, has evolved into a more advanced exploit kit with enhanced capabilities. Its upgraded version now includes features to deter analysis, such as link validation through timestamps and salted hashes, and the ability to redirect victims to legitimate sites after exploitation. These measures ensure the attacks remain undetected by victims and security researchers. To date, Trend Micro has identified over 55 active MOONSHINE servers, highlighting the scale and persistence of this threat.
Earth Minotaur employs social engineering to lure victims into clicking malicious links embedded in seemingly legitimate content. These links, often disguised as government announcements or cultural videos, lead victims to MOONSHINE exploit kit servers. The servers exploit vulnerabilities in Chromium-based browsers, particularly when applications fail to update or lack sandboxing protections. Once compromised, victims’ devices are infected with the DarkNimbus backdoor, granting attackers remote control and access to sensitive information.
This discovery underscores the critical importance of regular software updates and enabling advanced security features like sandboxing in applications. The cross-platform nature of DarkNimbus further amplifies the potential impact of these attacks. As Earth Minotaur continues to refine its tactics, the cybersecurity community must remain vigilant, with increased awareness and proactive measures essential to countering threats posed by the MOONSHINE exploit kit and similar advanced tools.
Reference:
