By Uyghur Times Staff
December 7, 2024
This news article is a summarized version of a report by The Hacker News. The Uyghur Times team has not added any additional contributions, and full credit goes to The Hacker News.
A newly identified hacking group, dubbed Earth Minotaur, is targeting Uyghurs and Tibetans with advanced surveillance tools. Using the MOONSHINE exploit kit and a backdoor malware known as DarkNimbus, this cyber threat group is carrying out sophisticated attacks aimed at long-term monitoring of these communities.
Targeting Uyghur and Tibetan Communities
According to cybersecurity researchers at Trend Micro, Earth Minotaur employs upgraded versions of the MOONSHINE exploit kit to infect devices and install the DarkNimbus backdoor. Unlike other threat actors, Earth Minotaur operates independently of groups like Earth Empusa but has demonstrated similarly alarming capabilities.
The group delivers malicious links through instant messaging apps, often disguising them as innocuous announcements or cultural videos related to Uyghur or Tibetan music and dance. Clicking these links directs victims to servers hosting the MOONSHINE exploit kit, which delivers the DarkNimbus backdoor.
Exploiting Browser Vulnerabilities
The MOONSHINE exploit kit uses vulnerabilities like CVE-2020-6418, a flaw in Google Chrome’s V8 JavaScript engine patched in 2020. If users’ devices are unprotected, the malware is deployed covertly. After completing its malicious tasks, the server redirects victims to legitimate websites to avoid suspicion.
Phishing Tactics and Browser Downgrade Attacks
When MOONSHINE cannot exploit a device, it resorts to phishing. For example, Uyghur WeChat users may receive fake alerts urging them to update their in-app browser. This tactic exploits outdated software to install a trojanized version of the browser, replacing the original with one designed to execute DarkNimbus.
DarkNimbus: A Sophisticated Spyware Tool
Developed and updated since 2018, DarkNimbus is a powerful surveillance tool targeting Android and Windows devices. On Android, it captures sensitive information like geolocation, contact lists, call history, and app data. It can also take screenshots, record calls, and collect messages from platforms like WeChat, QQ, WhatsApp, and Skype.
The Windows version of DarkNimbus, developed in late 2019, is less feature-rich but still capable of stealing keystrokes, browser credentials, and clipboard data.
A Global Cyber Threat
Earth Minotaur’s attacks extend beyond the Uyghur and Tibetan diaspora. Affected countries include the U.S., Australia, Canada, Germany, Turkey, and more. This highlights the group’s global reach and sophistication.
A Growing List of Adversaries
The threat group joins a long list of actors targeting Uyghurs and Tibetans, such as Scarlet Mimic, Flea, and Evasive Panda. The shared use of tools like MOONSHINE suggests collaboration or overlap between these groups, increasing the complexity of the threat landscape.
Call for Vigilance
Experts urge users to regularly update software and exercise caution when clicking links, especially those received via instant messaging platforms. “MOONSHINE exploits known vulnerabilities in Chromium-based browsers, making updates essential to prevent attacks,” said Trend Micro researchers Joseph Chen and Daniel Lunghi.
The persistent targeting of Uyghurs and Tibetans underscores the need for robust cybersecurity measures to protect vulnerable communities.
Follow Uyghur Times on Twitter and LinkedIn for the latest updates on cybersecurity threats and Uyghur-related issues.
