MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks

    Date: 12/06/2024

    Severity: High 

    Summary

    Since 2019, we have been monitoring the activity of the MOONSHINE exploit kit. During our research, we uncovered a server with poor operational security, exposing its toolkits, operation logs, potential victim data, and the tactics of the threat actor Earth Minotaur. Initially targeting the Tibetan and Uyghur communities, MOONSHINE exploits vulnerabilities in Android instant messaging apps to implant backdoors. By 2024, at least 55 MOONSHINE exploit kit servers were identified, featuring updated vulnerabilities and enhanced protection against analysis, and it remains actively used by threat actors.

    Indicators of Compromise (IOC) List

    Domains\Urls : 

    ansec.com    

    www.cloudvn.info                      

    news.tibetonline.info                   

    like.wechatpictureupload.com        

    barginshowless.garddenshcok.com     

    formaldense.weixinpicture.com       

    newsdomain.net                        

    www.vikingshielder.com              

    server.img-bing.com                 

    www.wetransfering.com               

    www.leadtochanges.com               

    whsdwxs.com                           

    qqmailpls.com                         

    ammffggo.com                          

    dash.gztesttaac.com                 

    dash.nortonet.com                   

    www.nortonet.com                    

    www.tegacklephys.com                

    www.esetinc.com                     

    www.mcofea.com                      

    magt1.xyz                             

    renp7.xyz                             

    www.yb425ty.xyz                     

    www.qqnmqciug.com                   

    bstram.com                            

    acd.1yxqwzx2.com                    

    www.onlinewechat.com                

    www.onlineweixin.net                

    www.onlinewxapp.net                 

    wkcxpb.xyz                            

    info.symantke.com                   

    api1-meta.com                         

    www.online-wechat.com               

    www.wechatimghs.com                 

    vsa.ahamar.com                      

    www.lodepot.com                     

    www.unusualtransaction.com          

    m.leak-news.com                     

    www.internetweixin.com              

    static.chatonlineapp.com            

    gates.chatonlineapp.com             

    www.weetogether.top                 

    wechatnets.com                        

    www.newwechat.com                   

    www.serverwechat.com                

    www.txwect.com                      

    IP Address : 

    27.124.20.22                          

    47.93.54.134                          

    60.205.148.180                        

    218.89.135.219                        

    117.175.185.81

    125.65.40.163                   

    103.255.179.186           

    154.202.198.246                   

    112.121.178.90    

    Hash : 

    07bae9dd9dade31f9df6806ecc7cb430535af674f39a549e875f6efbc429cdb3
    
    1b6345d855db824e594f28e86e5abb04e0478923e51a3718cff80c42190cff6c
    
    1e2afa69b7ba2a4baf20f3345c7f2fe59077df37cd27f37eddb1568196194706
    
    1eaeb4558d5c4c67723c90f840b6f137517f4479e9fe8e1e874b18e9da754d4b
    
    5af767c90035a88d9a4d329c24631de21ba0a9481e0e540e058c9cfa4709a7a2
    
    5c9f525cd60132fa2960953d7a4ba18b1858116c239882554b0d5d43d704fc85
    
    76c8f1df9461a3258acca6c5dc7962f4f5a34f09a5c7cb9bb58eae5ded240f06
    
    b5040d7ca5e9cdc331cc3fb9abed492be95ad872eb95176ac5bc3def169191e5
    
    b7f7de46f041d8115aeff221934c869fa6f0b449b95e0c6c181de75a3f517407
    
    b83492550bc9aaa0f6e8a669ac1349db59671e2874f4dafa0292c91b68dc2a41
    
    b9a646d39a15f76bb1cd3efd4bef67f31504e25c9ad364f0c4cc3886f2278b0e
    
    c5a06ffdf20b39c4555b37dec5e3075c16bd8ffb9bde4c87bd05243df53df064
    
    d65ad9c034cdd188dd566bea220ed07c1ed5d0dd2ac61897c82589efac9e75c5
    
    e9664ad0272bc1b5e0d271dc3a28ef32cbdd0a790a1f5fe26ba4e1904cccbfdc
    
    f0b7f4a0e37708e4c767d529cbe35834ee3cff2b00a0c70d080d7f82924ad7ed
    
    09de7f15b1fca9cf586294ced2217a29611f0d34d41622f46d89ea4e3cd63a2e        
    
    11d760f84bea10155cf16b8f3620914a818307f9ece614069509494914a8f8a2        
    
    154182453f425512010c68f351e09d3debd2f79b12f064b780c3d37809110fab        
    
    1b9ff9743b8aa4f9d3e151c5ab870137fe175240ce853c72a2dffea1a1172487        
    
    1defb8f7166f604640da5f2a913d69dd8c6ae14ea0bfe3cdfc1f1afcf96837cb        
    
    1f46a13af9ddc66a900fe2e9d717ca58ffd47c215741bca6fb5f3840f1bd9080        
    
    23ded8dd012bf6d51eda101abc85683759b1b5af9ea94cb54cfcc1a0da53642e        
    
    405c1bd8e829486625c9e5f5acf2a18fb17abe375ae87803e34aaae91646770e        
    
    4f51eb7829b97d4a5ba5cdc9d909f484a0e412340fc68d3cad0e1f2e8972640d        
    
    532b3a47e15c45a113c3b219d0d66a18dcbf20c81de3b56f4bb71f7544de2699        
    
    7ee53cc01e039e7c7584ea3fe4274292a58957acce61227394889e84b1f7879e        
    
    93dff9eff6a839f7202c109e34484bee5ed2430076ee4ac7e1d8f3d9479e243d        
    
    95da35098d6167c23bdb1901024614d3658fa78b34ae11612ec7abdfd92c92a0        
    
    ba5b80ac52892d4a3d1b187be2e4cd6195e4bfae1eae4d1c59daffb072ec8dd5        
    
    e43b1396419d1954a9911fba1ebec3eb24b27c3b461394b678f89848981f5f8d        
    
    e7309efe719765fdc47f0bbf446a310d1a80a5cdadaced68054b3136b6776667        
    
    8510fc293227ea7b7d4b20073302e015b616aa8af90d30549b5b118034036111        
    
    c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854        
    
    4f51eb7829b97d4a5ba5cdc9d909f484a0e412340fc68d3cad0e1f2e8972640d 
    
    244e22147cc1e37543159a95cf4674a61f290af305c1c1e37b69c45b444f9097        
    
    c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854
    
    2e6ef72d05b395224a03a73a50eaee1c9dc682976c99dde5317b76938cb669a4        
    
    c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854
    
    73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2
    
    c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854
    
    08d6bfe8a1ff1043df4aebfbb7d074de0923a665a7e8134fd702ee45454304f5        
    
    c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854
    
    bdd760d3a8fbff322adad4a9d903daae9544e3c73264650bf60b3fa9a69ac425        
    
    c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854
    
    61b24ff38bfdeb7b9f1716ee22535dccf1add5b19095a8f8b227a67270b279b2        
    
    c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854 
    
    fc117650688065deeb54e686f873359c2a56d23165567ab3f2a3b62498199fa9

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs :

    userdomainname like "info.symantke.com" or url like "info.symantke.com" or userdomainname like "www.newwechat.com" or url like "www.newwechat.com" or userdomainname like "www.internetweixin.com" or url like "www.internetweixin.com" or userdomainname like "server.img-bing.com" or url like "server.img-bing.com" or userdomainname like "news.tibetonline.info" or url like "news.tibetonline.info" or userdomainname like "ansec.com" or url like "ansec.com" or userdomainname like "www.cloudvn.info" or url like "www.cloudvn.info" or userdomainname like "like.wechatpictureupload.com" or url like "like.wechatpictureupload.com" or userdomainname like "barginshowless.garddenshcok.com" or url like "barginshowless.garddenshcok.com" or userdomainname like "formaldense.weixinpicture.com" or url like "formaldense.weixinpicture.com" or userdomainname like "newsdomain.net" or url like "newsdomain.net" or userdomainname like "www.vikingshielder.com" or url like "www.vikingshielder.com" or userdomainname like "www.wetransfering.com" or url like "www.wetransfering.com" or userdomainname like "www.leadtochanges.com" or url like "www.leadtochanges.com" or userdomainname like "whsdwxs.com" or url like "whsdwxs.com" or userdomainname like "qqmailpls.com" or url like "qqmailpls.com" or userdomainname like "ammffggo.com" or url like "ammffggo.com" or userdomainname like "dash.gztesttaac.com" or url like "dash.gztesttaac.com" or userdomainname like "dash.nortonet.com" or url like "dash.nortonet.com" or userdomainname like "www.nortonet.com" or url like "www.nortonet.com" or userdomainname like "www.tegacklephys.com" or url like "www.tegacklephys.com" or userdomainname like "www.esetinc.com" or url like "www.esetinc.com" or userdomainname like "www.mcofea.com" or url like "www.mcofea.com" or userdomainname like "magt1.xyz" or url like "magt1.xyz" or userdomainname like "renp7.xyz" or url like "renp7.xyz"

    Domain\URLs 2 : 

    userdomainname like "www.yb425ty.xyz" or url like "www.yb425ty.xyz" or userdomainname like "www.qqnmqciug.com" or url like "www.qqnmqciug.com" or userdomainname like "bstram.com" or url like "bstram.com" or userdomainname like "acd.1yxqwzx2.com" or url like "acd.1yxqwzx2.com" or userdomainname like "www.onlinewechat.com" or url like "www.onlinewechat.com" or userdomainname like "www.onlineweixin.net" or url like "www.onlineweixin.net" or userdomainname like "www.onlinewxapp.net" or url like "www.onlinewxapp.net" or userdomainname like "wkcxpb.xyz" or url like "wkcxpb.xyz" or userdomainname like "api1-meta.com" or url like "api1-meta.com" or userdomainname like "www.wechatimghs.com" or url like "www.wechatimghs.com" or userdomainname like "vsa.ahamar.com" or url like "vsa.ahamar.com" or userdomainname like "www.lodepot.com" or url like "www.lodepot.com" or userdomainname like "www.unusualtransaction.com" or url like "www.unusualtransaction.com" or userdomainname like "m.leak-news.com" or url like "m.leak-news.com" or userdomainname like "static.chatonlineapp.com" or url like "static.chatonlineapp.com" or userdomainname like "gates.chatonlineapp.com" or url like "gates.chatonlineapp.com" or userdomainname like "www.weetogether.top" or url like "www.weetogether.top" or userdomainname like "wechatnets.com" or url like "wechatnets.com" or userdomainname like "www.serverwechat.com" or url like "www.serverwechat.com"

    IP Address : 

    dstipaddress IN ("154.202.198.246","112.121.178.90","103.255.179.186","27.124.20.22","47.93.54.134","60.205.148.180","218.89.135.219","125.65.40.163","117.175.185.81") or ipaddress IN ("154.202.198.246","112.121.178.90","103.255.179.186","27.124.20.22","47.93.54.134","60.205.148.180","218.89.135.219","125.65.40.163","117.175.185.81") or publicipaddress IN ("154.202.198.246","112.121.178.90","103.255.179.186","27.124.20.22","47.93.54.134","60.205.148.180","218.89.135.219","125.65.40.163","117.175.185.81") or srcipaddress IN ("154.202.198.246","112.121.178.90","103.255.179.186","27.124.20.22","47.93.54.134","60.205.148.180","218.89.135.219","125.65.40.163","117.175.185.81")

    Hash : 

    sha256hash IN ("154182453f425512010c68f351e09d3debd2f79b12f064b780c3d37809110fab","1b9ff9743b8aa4f9d3e151c5ab870137fe175240ce853c72a2dffea1a1172487","f0b7f4a0e37708e4c767d529cbe35834ee3cff2b00a0c70d080d7f82924ad7ed","d65ad9c034cdd188dd566bea220ed07c1ed5d0dd2ac61897c82589efac9e75c5","e43b1396419d1954a9911fba1ebec3eb24b27c3b461394b678f89848981f5f8d","ba5b80ac52892d4a3d1b187be2e4cd6195e4bfae1eae4d1c59daffb072ec8dd5","11d760f84bea10155cf16b8f3620914a818307f9ece614069509494914a8f8a2","405c1bd8e829486625c9e5f5acf2a18fb17abe375ae87803e34aaae91646770e","fc117650688065deeb54e686f873359c2a56d23165567ab3f2a3b62498199fa9","c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854","95da35098d6167c23bdb1901024614d3658fa78b34ae11612ec7abdfd92c92a0","244e22147cc1e37543159a95cf4674a61f290af305c1c1e37b69c45b444f9097","1defb8f7166f604640da5f2a913d69dd8c6ae14ea0bfe3cdfc1f1afcf96837cb","08d6bfe8a1ff1043df4aebfbb7d074de0923a665a7e8134fd702ee45454304f5","73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2","1eaeb4558d5c4c67723c90f840b6f137517f4479e9fe8e1e874b18e9da754d4b","5af767c90035a88d9a4d329c24631de21ba0a9481e0e540e058c9cfa4709a7a2","7ee53cc01e039e7c7584ea3fe4274292a58957acce61227394889e84b1f7879e","4f51eb7829b97d4a5ba5cdc9d909f484a0e412340fc68d3cad0e1f2e8972640d","e7309efe719765fdc47f0bbf446a310d1a80a5cdadaced68054b3136b6776667","532b3a47e15c45a113c3b219d0d66a18dcbf20c81de3b56f4bb71f7544de2699")

    Reference:   

    https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html 


    Tags

    MalwareMOONSHINEDarkNimbusTibetanUyghur

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags