The China-linked threat known as MirrorFace has been attributed to a new phishing campaign since June 2024, mainly targeting individuals and organizations in Japan.
The purpose of the campaign is to spread backdoors known as NOOPDOOR (aka HiddenFace) and SORRY (aka UPPERCOTT), Trend Micro’s technical analysis says.
“An interesting aspect of this campaign is the return of a backdoor called ANEL that was used in campaigns targeting Japan APT10 until around 2018 and has not been observed since then,” said security researcher Hara Hiroaki said.
It should be noted that MirrorFace also used ANEL documented ESET last month in a cyber attack targeting a diplomatic organization in the European Union using lures related to the World Expo.
MirrorFace, also known as Earth Kasha, is the name given to a Chinese threat actor known for persistent attacks against Japanese organizations. This is estimated to be a subcluster in APT10.
The latest campaign is a departure from the hacker group’s incursions seen in 2023, which primarily sought exploit security flaws in edge devices from Array Networks and Fortinet for initial access.
According to Trend Micro, the shift to phishing emails is deliberate, and the decision is motivated by the fact that the attacks are designed to target individuals, not businesses.
“Furthermore, an analysis of victim profiles and names of the distributed lures shows that the adversaries are particularly interested in topics related to Japan’s national security and international relations,” Hiroaki noted.
Digital messages sent from free email accounts or from compromised accounts contain a link to Microsoft OneDrive. They seek to lure recipients into downloading the mined ZIP archive using topics related to interview requests and Japan’s economic security in light of current US-China relations.
Trend Micro said the contents of the ZIP archive varied by target, adding that it had identified three different infection vectors used to deliver a malicious dropper called ROAMINGMOUSE –
- A Word document with macro support
- A Windows shortcut file that runs a self-extracting archive (SFX) that then loads a macro-enabled document template
- The Windows shortcut file that launches PowerShell is responsible for removing the built-in cabinet archive, which then loads a macro-enabled document template
The macro-enabled document, ROAMINGMOUSE, acts as a dropper for ANEL-related components and eventually launches the backdoor while incorporating evasion techniques that hide it from security programs and make detection difficult.
One of the modules deployed via the dropper is ANELLDR, a loader that is designed to run ANEL in memory. It is launched using a well-known method called DLL sideloading, after which it decrypts and executes the backdoor in the final stage.
A 32-bit HTTP-based implant, ANEL actively developed between 2017 and 2018 as a way to take screenshots, upload/download files, load executables, and run commands via cmd.exe. The 2024 campaign uses an updated version that introduces a new command to run a specific program with elevated privileges.
In addition, attack chains use the backdoor to gather information from infected environments and selectively deploy NOOPDOOR against targets of particular interest.
“Many of the targets are individuals, such as researchers, who may have different security measures compared to corporate organizations, making these attacks more difficult to detect,” Hiroaki said. “It is important to take basic countermeasures, such as avoiding opening files attached to suspicious emails.”
