Chinese MirrorFace APT Group Targets Japanese Political Group

A Chinese-speaking APT group tracked as MirrorFace is behind a spear-phishing campaign targeting Japanese political groups.

ESET researchers recently discovered a spear-phishing campaign targeting a Japanese political group and attributed it to a Chinese-speaking APT group tracked as MirrorFace.

Experts tracked the campaign as Operation LiberalFace and targeted Japanese political groups, specifically members of specific political parties.

The campaign started in June 2022 and used spear phishing messages to spread the LODEINFO backdoor. The LODEINFO backdoor was an implant used to deliver additional payloads, stealing credentials and sensitive data from victims.

The researchers also detailed the use of a previously unreported credential-stealing program that ESET named MirrorStealer.

“There is some speculation that this threat actor may be related to APT10 (Macnica, Kaspersky), but ESET cannot attribute it to any known APT group. We track it as an entity in.” Read the analysis published by ESET. “In particular, MirrorFace and LODEINFO are unique malware used only against Japanese targets, reportedly targeting media, defense companies, think tanks, diplomatic agencies, and academic institutions. The goal is spying and stealing files of interest.”

One of the spear-phishing messages the researchers analyzed pretended to be official correspondence from the public relations department of a particular Japanese political party. The email contained a request related to the House of Councilors election and included an attachment that deployed his LODEINFO malware when executed.

A spear-phishing email, sent on June 29, 2022, claimed to come from a political party’s public relations department. The content of the email encouraged recipients to share the attached video on their social media profiles.

The attachment is a self-extracting WinRAR archive that, when opened, initiates a LODEINFO infection.

ESET researchers also reported MirrorFace’s use of the credential stealer MirrorStealer (31558_n.dll). MirrorStealer steals credentials from multiple applications, including web browsers and email clients. Experts noticed that one of his targeted applications was Becky!, an email client used only by Japanese users. The malware stores stolen credentials in %TEMP%\31558.txt, but the expert noticed that her MirrorStealer does not support data exfiltration.

“MirrorFace continues to target high-value targets in Japan. Operation LiberalFace took advantage of the upcoming House of Councilors election to specifically target political groups. , indicating that MirrorFace has a particular focus on members of a particular political party,” concludes the report. “During our investigation of Operation LiberalFace, we were able to uncover additional MirrorFace TTPs, including the deployment and utilization of additional malware and tools to collect and steal valuable data from victims. , it became clear that the operators of MirrorFace were somewhat careless, leaving traces and making various mistakes.”

Follow me on Twitter: @Security Affairs When Facebook When Mastodon