A Chinese-speaking APT group tracked by MirrorFace is behind a spear phishing campaign targeting Japanese political entities.
ESET researchers recently discovered a spear phishing campaign targeting a Japanese political group, which they attribute to a Chinese-speaking APT group tracked by MirrorFace.
Experts have traced the campaign to Operation LiberalFace and it is aimed at Japanese political groups, specifically members of certain political parties.
The campaign was launched in June 2022, and spear phishing messages were used to propagate the LODEINFO backdoor, an implant used to deliver an additional payload and extort credentials and sensitive data from victims.
Researchers also detailed the use of a previously undescribed credential stealer called MirrorStealer by ESET.
“This threat actor is APT10 (Mcnica, Kaspersky), ESET cannot attribute it to any known APT group. So we are tracking it as a separate entity called MirrorFace.” reads analysis Published by ESET. “Specifically, the proprietary malware MirrorFace and LODEINFO, used exclusively against Japanese targets, Declaration It is intended for media, defense companies, think tanks, diplomatic and academic institutions. MirrorFace’s goal is espionage and exfiltration of files of interest.”
One of the spear phishing messages analyzed by the researchers was disguised as an official communication from the public relations department of a particular Japanese political party. The email contains a request related to the House of Councilors election and contains an attachment that, when executed, distributes the LODEINFO malware.
A spear phishing email sent on June 29, 2022 was purportedly from the political party’s public relations department. The content of the email urged recipients to share the attached video on their social media profiles.
The attachment was a self-extracting WinRAR archive, and upon opening it initiated the LODEINFO infection.
ESET researchers also reported that MirrorFace used a credential stealer, MirrorStealer (31558_n.dll). MirrorStealer steals credentials from several applications including web browsers and email clients. Experts believe that one of the target applications is Becky!, an email client used only by Japanese users. The malware stores stolen credentials in %TEMP%31558.txt, but experts have found out that MirrorStealer does not support data exfiltration. This means attackers are using other malware to do this.
“MirrorFace continues to target high-value targets in Japan. Operation LiberalFace specifically targeted political groups that were using the upcoming House of Councilors elections to their advantage. More interestingly, our findings indicate that MirrorFace is specifically focused on members of certain political parties.” finish the report. “During our investigation of Operation LiberalFace, we uncovered additional MirrorFace TTPs such as the distribution and utilization of additional malware and tools to collect and exfiltrate valuable data from victims. The investigation also revealed that mirrorface operators were somewhat negligent, leaving traces and making various mistakes.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(security work – hacking, mirror face)
share