Chinese MirrorFace APT group targets Japanese political entities

A Chinese-speaking APT group, tracked as MirrorFace, is behind a spear-phishing campaign targeting Japanese political entities.

ESET researchers recently discovered a spear-phishing campaign targeting Japanese political entities and attributed it to the Chinese-speaking APT group tracked as MirrorFace.

The experts tracked the campaign as Operation LiberalFace, it aimed at Japanese political entities, especially the members of a specific political party.

The campaign was launched in June 2022, the spear-phishing messages were used to spread the LODEINFO backdoor, an implant used to deliver additional payloads, and exfiltrate the credentials and sensitive data from the victims.

The researchers also detailed the use of a previously undescribed credential stealer named by ESET as MirrorStealer.

“While there is some speculation that this threat actor might be related to APT10 (Macnica, Kaspersky), ESET is unable to attribute it to any known APT group. Therefore, we are tracking it as a separate entity that we’ve named MirrorFace.” reads the analysis published by ESET. “In particular, MirrorFace and LODEINFO, its proprietary malware used exclusively against targets in Japan, have been reported as targeting media, defense-related companies, think tanks, diplomatic organizations, and academic institutions. The goal of MirrorFace is espionage and exfiltration of files of interest.”

One of the spear-phishing messages analyzed by the researchers posed as an official communication from the PR department of a specific Japanese political party. The email contained a request related to the House of Councillors elections, it included an attachment that upon execution deployed the LODEINFO malware.

The spear-phishing emails, sent on June 29, 2022, purported to be from the political party’s PR department. The content of the email urged the recipients to share the attached videos on their own social media profiles.

The attachment was a self-extracting WinRAR archive, upon opening it it will start LODEINFO infection.

ESET researchers also reported the use of the credential stealer MirrorStealer (31558_n.dll) by MirrorFace. MirrorStealer steals credentials from multiple applications, including web browsers and email clients. Experts noticed that one of the targeted applications is Becky!, an email client that is only used by Japanese users. The malware store the stolen credentials in %TEMP%\31558.txt, but experts noticed the MirrorStealer doesn’t support data exfiltration, which means that attackers use other malware to do it.

“MirrorFace continues to aim for high-value targets in Japan. In Operation LiberalFace, it specifically targeted political entities using the then-upcoming House of Councillors election to its advantage. More interestingly, our findings indicate MirrorFace particularly focused on the members of a specific political party.” concludes the report. “During the Operation LiberalFace investigation, we managed to uncover further MirrorFace TTPs, such as the deployment and utilization of additional malware and tools to collect and exfiltrate valuable data from victims. Moreover, our investigation revealed that the MirrorFace operators are somewhat careless, leaving traces and making various mistakes.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MirrorFace)

[adrotate banner=”5″]

[adrotate banner=”13″]