Chinese-speaking MirrorFace targeted a Japanese political party with espionage and credential-stealing malware ahead of elections, ESET Research uncovers
Created: 2022-12-14 07:26:14
- At the end of June 2022, MirrorFace launched Operation LiberalFace, which targeted Japanese political entities.
- Spearphishing email messages containing the group's flagship backdoor LODEINFO were sent to the targets.
- LODEINFO was used to deliver additional malware, exfiltrate the victims’ credentials, and steal the victims’ documents and emails.
- A previously undescribed credential stealer we have named MirrorStealer was used in Operation LiberalFace.
- MirrorFace is a Chinese-speaking APT group targeting companies and organizations based in Japan.
BRATISLAVA, BRNO — December 14, 2022 — ESET researchers discovered a spearphishing campaign, launched in the weeks leading up to the Japanese House of Councillors elections in July 2022, by the APT group that ESET Research tracks as MirrorFace. The investigation into the campaign, which ESET Research has named Operation LiberalFace and which targeted Japanese political entities, revealed that the members of a specific Japanese political party were of particular focus in this campaign. The spearphishing email messages contained the group's flagship backdoor LODEINFO, which was used to deliver additional malware, exfiltrate the victims’ credentials, and steal the victims’ documents and emails. MirrorFace is a Chinese-speaking threat actor with targets based in Japan.
Purporting to be a Japanese political party’s PR department, MirrorFace asked the email recipients to distribute the attached videos on their own social media profiles to further strengthen the party’s PR and to secure victory in the House of Councillors. Furthermore, the email provides clear instructions on the videos’ publication strategy. The email was purportedly sent on behalf of a prominent politician. All spearphishing messages contained a malicious attachment that upon execution deployed LODEINFO on the compromised machine. MirrorFace started the attack on June 29, 2022, ahead of the Japanese elections in July.
LODEINFO is a MirrorFace backdoor that is under continual development. Its functionality includes capturing screenshots, keylogging, killing processes, exfiltrating files, executing additional files, and encrypting defined files and folders. The attack used a previously undocumented credential stealer that ESET Research has named MirrorStealer. It is able to steal credentials from various applications, such as browsers and email clients.
“During the Operation LiberalFace investigation, we managed to uncover further MirrorFace tactics, techniques, and procedures, such as the deployment and utilization of additional malware and tools to collect and exfiltrate valuable data from victims. Moreover, our investigation revealed that the MirrorFace operators are somewhat careless, leaving traces and making various mistakes,” says ESET researcher Dominik Breitenbacher, who discovered the campaign.
MirrorFace is a Chinese-speaking threat actor targeting companies and organizations based in Japan. While there is some speculation that this threat actor might be related to APT10, ESET is unable to link it with any known APT group. Therefore, ESET is tracking it as a separate entity named MirrorFace. In particular, MirrorFace and LODEINFO, its proprietary malware used exclusively against targets in Japan, have been reported as targeting media, defense-related companies, think tanks, diplomatic organizations, and academic institutions. The goal of MirrorFace is espionage and exfiltration of files of interest.
For more technical information about Operation LiberalFace by the MirrorFace APT group, check out the blog post “Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.