Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Chinese MirrorFace APT group targets Japanese political entities

A Chinese-speaking APT group, tracked as MirrorFace, is behind a spear-phishing campaign targeting Japanese political entities. ESET researchers recently discovered a spear-phishing campaign targeting Japanese political entities and attributed it to the Chinese-speaking APT group tracked as MirrorFace. The experts tracked the campaign as Operation LiberalFace, it aimed at Japanese political entities, especially the members of […]

Figure-1.-MirrorFace Original-text-of-the-email.png

A Chinese-speaking APT group, tracked as MirrorFace, is behind a spear-phishing campaign targeting Japanese political entities.

ESET researchers recently discovered a spear-phishing campaign targeting Japanese political entities and attributed it to the Chinese-speaking APT group tracked as MirrorFace.

The experts tracked the campaign as Operation LiberalFace, it aimed at Japanese political entities, especially the members of a specific political party.

The campaign was launched in June 2022, the spear-phishing messages were used to spread the LODEINFO backdoor, an implant used to deliver additional payloads, and exfiltrate the credentials and sensitive data from the victims.

The researchers also detailed the use of a previously undescribed credential stealer named by ESET as MirrorStealer.

“While there is some speculation that this threat actor might be related to APT10 (MacnicaKaspersky), ESET is unable to attribute it to any known APT group. Therefore, we are tracking it as a separate entity that we’ve named MirrorFace.” reads the analysis published by ESET. “In particular, MirrorFace and LODEINFO, its proprietary malware used exclusively against targets in Japan, have been reported as targeting media, defense-related companies, think tanks, diplomatic organizations, and academic institutions. The goal of MirrorFace is espionage and exfiltration of files of interest.”

One of the spear-phishing messages analyzed by the researchers posed as an official communication from the PR department of a specific Japanese political party. The email contained a request related to the House of Councillors elections, it included an attachment that upon execution deployed the LODEINFO malware.

The spear-phishing emails, sent on June 29, 2022, purported to be from the political party’s PR department. The content of the email urged the recipients to share the attached videos on their own social media profiles.

Figure-1.-MirrorFace Original-text-of-the-email.png

The attachment was a self-extracting WinRAR archive, upon opening it it will start LODEINFO infection.

ESET researchers also reported the use of the credential stealer MirrorStealer (31558_n.dll) by MirrorFace. MirrorStealer steals credentials from multiple applications, including web browsers and email clients. Experts noticed that one of the targeted applications is Becky!, an email client that is only used by Japanese users. The malware store the stolen credentials in %TEMP%\31558.txt, but experts noticed the MirrorStealer doesn’t support data exfiltration, which means that attackers use other malware to do it.

“MirrorFace continues to aim for high-value targets in Japan. In Operation LiberalFace, it specifically targeted political entities using the then-upcoming House of Councillors election to its advantage. More interestingly, our findings indicate MirrorFace particularly focused on the members of a specific political party.” concludes the report. “During the Operation LiberalFace investigation, we managed to uncover further MirrorFace TTPs, such as the deployment and utilization of additional malware and tools to collect and exfiltrate valuable data from victims. Moreover, our investigation revealed that the MirrorFace operators are somewhat careless, leaving traces and making various mistakes.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MirrorFace)

[adrotate banner=”5″]

[adrotate banner=”13″]