Summary:
Trend Micro’s research on the Earth Minotaur threat actor reveals the use of the MOONSHINE exploit kit to target vulnerabilities in Android messaging apps, particularly affecting Tibetan and Uyghur communities. The exploit kit installs the DarkNimbus backdoor for surveillance, which has both Android and Windows versions. The updated MOONSHINE kit has over 55 servers and exploits multiple vulnerabilities, emphasizing the need for regular software updates to mitigate risks.
#EarthMinotaur #DarkNimbus #MOONSHINE
Trend Micro’s research on the Earth Minotaur threat actor reveals the use of the MOONSHINE exploit kit to target vulnerabilities in Android messaging apps, particularly affecting Tibetan and Uyghur communities. The exploit kit installs the DarkNimbus backdoor for surveillance, which has both Android and Windows versions. The updated MOONSHINE kit has over 55 servers and exploits multiple vulnerabilities, emphasizing the need for regular software updates to mitigate risks.
#EarthMinotaur #DarkNimbus #MOONSHINE
Keypoints:
- Earth Minotaur uses the MOONSHINE exploit kit to exploit Android messaging app vulnerabilities.
- DarkNimbus backdoor is installed for surveillance on both Android and Windows devices.
- Targeted communities include Tibetans and Uyghurs.
- MOONSHINE has over 55 identified servers as of 2024.
- Attack vectors include social engineering through instant messaging apps.
- Malicious links masquerade as legitimate content to entice victims.
- Regular software updates are essential to prevent exploitation of known vulnerabilities.
- MOONSHINE exploits multiple vulnerabilities in Chromium-based browsers and applications.
MITRE Techniques
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Exploitation of Remote Services (T1210): Exploits vulnerabilities in remote services to gain access to target systems.
- Phishing (T1566): Uses social engineering tactics to lure victims into clicking malicious links.
- Credential Dumping (T1003): Collects sensitive information such as passwords and tokens from compromised devices.
- Data from Information Repositories (T1213): Gathers data from various information repositories on the compromised device.
IoC:
- [IP Address] 117.175.185.81
- [IP Address] 125.65.40.163
- [IP Address] 112.121.178.90
- [Domain] info[symantke][.]com
Full Research: https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html