Advertisement Banner
  • Home
  • News
  • Cyber News
  • Contact
No Result
View All Result
  • Home
  • News
  • Cyber News
  • Contact
No Result
View All Result
Wellnessnewshubb
No Result
View All Result
Home Cyber News

Chinese MirrorFace APT group targets Japanese political entitiesSecurity Affairs

admin by admin
December 15, 2022
in Cyber News


A Chinese-speaking APT group, tracked as MirrorFace, is behind a spear-phishing campaign targeting Japanese political entities.

ESET researchers recently discovered a spear-phishing campaign targeting Japanese political entities and attributed it to the Chinese-speaking APT group tracked as MirrorFace.

The experts tracked the campaign as Operation LiberalFace, it aimed at Japanese political entities, especially the members of a specific political party.

The campaign was launched in June 2022, the spear-phishing messages were used to spread the LODEINFO backdoor, an implant used to deliver additional payloads, and exfiltrate the credentials and sensitive data from the victims.

The researchers also detailed the use of a previously undescribed credential stealer named by ESET as MirrorStealer.

“While there is some speculation that this threat actor might be related to APT10 (Macnica, Kaspersky), ESET is unable to attribute it to any known APT group. Therefore, we are tracking it as a separate entity that we’ve named MirrorFace.” reads the analysis published by ESET. “In particular, MirrorFace and LODEINFO, its proprietary malware used exclusively against targets in Japan, have been reported as targeting media, defense-related companies, think tanks, diplomatic organizations, and academic institutions. The goal of MirrorFace is espionage and exfiltration of files of interest.”

One of the spear-phishing messages analyzed by the researchers posed as an official communication from the PR department of a specific Japanese political party. The email contained a request related to the House of Councillors elections, it included an attachment that upon execution deployed the LODEINFO malware.

The spear-phishing emails, sent on June 29, 2022, purported to be from the political party’s PR department. The content of the email urged the recipients to share the attached videos on their own social media profiles.

The attachment was a self-extracting WinRAR archive, upon opening it it will start LODEINFO infection.

ESET researchers also reported the use of the credential stealer MirrorStealer (31558_n.dll) by MirrorFace. MirrorStealer steals credentials from multiple applications, including web browsers and email clients. Experts noticed that one of the targeted applications is Becky!, an email client that is only used by Japanese users. The malware store the stolen credentials in %TEMP%31558.txt, but experts noticed the MirrorStealer doesn’t support data exfiltration, which means that attackers use other malware to do it.

“MirrorFace continues to aim for high-value targets in Japan. In Operation LiberalFace, it specifically targeted political entities using the then-upcoming House of Councillors election to its advantage. More interestingly, our findings indicate MirrorFace particularly focused on the members of a specific political party.” concludes the report. “During the Operation LiberalFace investigation, we managed to uncover further MirrorFace TTPs, such as the deployment and utilization of additional malware and tools to collect and exfiltrate valuable data from victims. Moreover, our investigation revealed that the MirrorFace operators are somewhat careless, leaving traces and making various mistakes.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, MirrorFace)



Share On






Source link

Previous Post

Jaishankar’s Salvo to Pakistan’s Bhutto after Kashmir remark in UN

Next Post

CISA researchers: Russia’s Fancy Bear infiltrated US satellite network

Next Post

CISA researchers: Russia's Fancy Bear infiltrated US satellite network

Recommended

Andy Greenberg on how ‘Tracers in the Dark’ found the dark web’s worst criminals

3 months ago

Virus Lockdowns Hit Guangzhou, China’s Economic Powerhouse – The Diplomat

3 months ago

© 2022 Law Enforcement News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Cyber News
  • Contact

Newsletter Sign Up.

No Result
View All Result
  • Home
  • News
  • Cyber News
  • Contact

© 2022 Law Enforcement News Hubb All rights reserved.