Full Report
A previously undocumented threat activity cluster dubbed Earth Minotaur is leveraging the MOONSHINE exploit kit and an unreported Android-cum-Windows backdoor called DarkNimbus to facilitate long-term surveillance operations targeting Tibetans and Uyghurs. "Earth Minotaur uses MOONSHINE to deliver the DarkNimbus backdoor to Android and Windows devices, targeting WeChat, and possibly making it a
Analysis Summary
# Threat Actor: Earth Minotaur
## Attribution & Identity
Previously undocumented threat activity cluster. Trend Micro has not established direct connections to other known groups like Earth Empusa. The MOONSHINE exploit kit has also been attributed to other operators, including **POISON CARP**, and overlaps with activity tracked as **Earth Empusa** and **Evil Eye**.
## Activity Summary
Earth Minotaur is conducting long-term surveillance operations primarily targeting Tibetan and Uyghur communities in various countries. The actor uses social engineering via instant messaging apps to trick victims into clicking malicious links. These links lead to MOONSHINE exploit kit servers, which attempt to install the DarkNimbus backdoor on the victim's device, both Android and Windows. They disguise attack links as seemingly innocuous announcements or content related to Tibetan or Uyghur music/videos. If the initial exploit fails against Chromium-based browsers, the server may serve a phishing page designed to trick WeChat users into downloading an update for the outdated in-app browser (XWalk), leading to a browser engine downgrade attack.
## Tactics, Techniques & Procedures
- **Social Engineering:** Sends carefully crafted messages via instant messaging apps (e.g., WeChat) disguising links as benign content (China announcements, cultural videos) to entice clicks.
- **Exploitation:** Leverages the MOONSHINE exploit kit to exploit known vulnerabilities in Chromium-based browsers and applications.
- **Browser Exploitation:** Targets Chrome, Naver, and instant messaging apps with embedded in-app browsers (like WeChat's XWalk/Android WebView).
- **Vulnerability Exploitation:** Specifically uses **CVE-2020-6418** (a V8 JavaScript engine type confusion vulnerability patched in Feb 2020) in an upgraded version of MOONSHINE.
- **Downgrade Attack:** Attempts to force a browser engine downgrade attack against WeChat's embedded XWalk browser if direct exploitation fails.
- **Persistence/C2:** Utilizes the DarkNimbus backdoor for long-term surveillance. The **Android DarkNimbus** variant communicates via the XMPP protocol.
- **Anticipated Deception:** After a successful exploitation attempt, the server redirects the victim to the disguised legitimate link to avoid detection.
## Targeting
- **Sectors:** Communities focused on ethnic/political identity (Tibetans and Uyghurs).
- **Geography:** Australia, Belgium, Canada, France, Germany, India, Italy, Japan, Nepal, the Netherlands, Norway, Russia, Spain, Switzerland, Taiwan, Turkey, and the U.S.
- **Victims:** Individuals within the Tibetan and Uyghur communities.
## Tools & Infrastructure
- **Exploit Kit:** **MOONSHINE** (Android-based, exploits vulnerabilities in Chromium-based browsers).
- **Backdoor:** **DarkNimbus** (Unreported Android and Windows backdoor).
- **Android DarkNimbus Capabilities:** Siphons device metadata, screenshots, browser bookmarks, phone call history, contacts, SMS messages, geolocation, files, clipboard content, installed apps list. Executes shell commands, records phone calls, takes pictures, abuses Android accessibility services to collect messages from DingTalk, MOMO, QQ, Skype, TalkBox, Voxer, WeChat, and WhatsApp. Can uninstall itself. Communicates via XMPP.
- **Windows DarkNimbus Capabilities:** Gathers system info, installed apps list, keystrokes, clipboard data, saved browser credentials/history, and reads/uploads file content.
- **Infrastructure:** At least 55 MOONSHINE exploit kit servers used for initial infection. (No specific C2 domains/IPs provided for defanging in the text).
## Implications
Earth Minotaur represents a sophisticated, state-aligned threat actor focused on long-term surveillance of specific geopolitical minority groups. The use of cross-platform malware (Android and Windows) and an actively updated, shared exploit kit (MOONSHINE) indicates advanced capabilities and potentially resource sharing with other threat groups. The social engineering targeting cultural content makes the initial infection vector highly specific and potentially effective against the intended audience.
## Mitigations
- Maintain regular and timely software updates for all Chromium-based browsers, applications, and operating systems to mitigate known exploits leveraged by MOONSHINE (including CVE-2020-6418).
- Exercise extreme caution when clicking links received via instant messaging apps, regardless of the sender or the seeming legitimacy of the accompanying context (e.g., cultural announcements).
- For users of affected messaging apps (especially WeChat), verify the security posture of embedded in-app browsers and ensure related components (like XWalk) are patched or updated.
- Implement robust endpoint detection and response (EDR) solutions capable of detecting suspicious behavior associated with the DarkNimbus backdoor, particularly XMPP communication and excessive data collection via accessibility services.