MirrorFace group targeted Japanese orgs in a new campaign

December 30, 2022
MirrorFace Group Japanese Organizations Cyberattack Campaign

A new spear-phishing campaign tracked recently, dubbed Operation LiberalFace, is believed to be aimed against political organisations in Japan. Analysts added that this new malicious campaign was associated with a Chinese threat actor known as ‘MirrorFace.’

According to reports, the new phishing campaign of the MirrorFace group started weeks before the Japanese House of Councilors election last July.

In the Operation LiberalFace campaign, the threat group impersonated public relations agents in their spear-phishing emails sent to the targeted organisations. Some instances involve the group imitating a Japanese ministry to gain the targets’ trust.

 

MirrorFace used a data stealer called ‘MirrorStealer’ in the Operation LiberalFace campaign.

 

As explained, the threat actors attached their malicious emails with decoy documents that extract WinRAR archives in the background once downloaded by the victims. Some of the malicious payloads launched by the group include a previously unknown credential stealer called MirrorStealer and a LODEINFO backdoor.

These payloads communicate with the threat group’s remote C2 infrastructure to receive commands.

Upon successfully entering the victim’s computer, the threat group uses the malicious payloads to steal credentials in web browsers and email inboxes, including one of Japan’s popular email platforms ‘Becky!.’ This finding led to analysts believing that the threat group had developed MirrorStealer exclusively for its Japanese-targeted campaigns.

Then, the group utilises the LODEINFO payload to send all stolen data to the attacker-controlled server.

Threat groups have actively used LODEINFO in several threat campaigns, especially spear-phishing attacks. In previous reports, this malware’s latest variant was used in a separate campaign against the Japanese government, media groups, public sectors, diplomatic agencies, and think tanks.

Researchers could trace MirrorFace’s recent activities because it failed to get rid of its activity tracks, including leaving behind a MirrorStealer text file containing all of a victim’s stolen credentials. Hence, the researchers were able to study the group’s activities and warn targeted entities accordingly.

About the author

Leave a Reply