ESET Research discovers MirrorFace, a Chinese-speaking hacker group targeting a Japanese political party for spying and credential theft
At the end of June 2022, MirrorFace launched Operation LiberalFace targeting Japanese political entities.
Personalized phishing messages containing the LODEINFO backdoor were sent to the targets.
LODEINFO has been used to distribute other malware, exfiltrate victims' credentials, and steal their documents and emails.
A previously undocumented credential stealer, which we named MirrorStealer, was used in Operation LiberalFace.
MirrorFace is a Chinese-speaking hacking group that targets businesses and organizations based in Japan.
Researchers from ESET, Europe's No. 1 security vendor, have uncovered a custom phishing campaign, launched in the weeks leading up to Japan's House of Councilors elections in July 2022, by the hacker group ESET Research studies under the name of MirrorFace. Investigation of this campaign, which ESET Research dubbed Operation LiberalFace and which targeted Japanese political entities, revealed that members of a specific Japanese political party were targeted by this campaign. The phishing messages contained the LODEINFO backdoor, which was used to distribute other malware, exfiltrate victims' credentials, and steal their documents and emails. MirrorFace is a Chinese-speaking threat actor, whose targets are based in Japan.
Posing as the public relations department of a Japanese political party, MirrorFace asked the recipients of the email to post the attached videos on their own social media profiles to boost the party's public relations and ensure its victory. in the House of Councillors. Supposedly sent on behalf of a prominent politician, the email also provided clear instructions on how to publish the videos. All of the phishing messages contained a malicious attachment which, upon execution, deployed LODEINFO to the compromised machine. MirrorFace launched its attack on June 29, 2022, ahead of Japan's July elections.
LODEINFO is a MirrorFace backdoor that is continuously being developed. Its features include taking screenshots, logging keystrokes, killing processes, exfiltrating files, executing additional files, as well as encrypting certain files and folders. The attack used a previously undocumented credential stealer, which ESET Research named MirrorStealer. It is able to steal credentials of different applications, such as browsers and email clients.
“During our investigation of Operation LiberalFace, we managed to uncover additional MirrorFace tactics, techniques and procedures, such as deploying and using additional malware and tools to collect and exfiltrate valuable victim data. Our investigation also revealed that MirrorFace operators are somewhat negligent, leaving traces and making several mistakes,” explains ESET researcher Dominik Breitenbacher, who discovered the campaign.
MirrorFace is a Chinese-speaking threat actor that targets businesses and organizations based in Japan. ESET suspects that this actor might be related to the APT10 group, but is unable to link it to a known group. Therefore, ESET classifies it as a separate entity named MirrorFace. In particular, MirrorFace and LODEINFO, its proprietary malware used exclusively against targets in Japan, target media, defense-related companies, think tanks, diplomatic organizations and academic institutions. The objective of MirrorFace is espionage and exfiltration of files of interest.
For more technical information on Operation LiberalFace from the MirrorFace group, see the article “Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities” on WeLiveSecurity.
Comments