Threat Research

[Cyware] MirrorFace Attack against Japanese Organisations – JPCERT/CC Eyes

Cyware

MirrorFace has targeted Japanese media, political organizations, think tanks, universities, manufacturers, and research institutes, shifting from spearphishing to exploiting external asset vulnerabilities. The actor deploys NOOPDOOR/NOOPLDR malware, leverages LODEINFO tooling, and exploits vulnerabilities in Array AG and FortiGate, with extensive defense evasion and credential-access techniques described. #MirrorFace #NOOPDOOR #NOOPLDR #LODEINFO #ArrayAG #FortiGate

Keypoints

  • MirrorFace targets a broad set of Japanese organizations, including media, political groups, think tanks, universities, manufacturers, and research institutions.
  • The actor has moved from initial spearphishing to using external asset vulnerabilities to gain access.
  • NOOPDOOR and NOOPLDR are the primary tools described, with NOOPLDR variants and MSBuild-based execution involved.
  • NOOPLDR uses multiple injection methods (XML Type1 and DLL Type2) and stores/decrypts code in the registry for persistence and re-execution.
  • Defense evasion includes using MSBuild, registry storage, timestomping, firewall rule changes, hiding services, deleting logs, and disabling Defender.
  • Credential access and lateral movement rely on LSASS/NTDS.dit dumps, SMB/WMI-based spread, and scheduled tasks for persistence.
  • Information exfiltration employs WinRAR and SFTP, with command-line reconnaissance and targeted data collection from shared drives and cloud paths.

MITRE Techniques

  • [T1133] External Remote Services – Exploit VPN product vulnerability and access network. “We have confirmed that this actor has leveraged the vulnerabilities in Array AG and FortiGate.”
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Execute NOOPLDR by a scheduled task. “Execute NOOPLDR by a scheduled task.”
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Set a scheduled task to execute malware automatically. “Set a scheduled task to execute malware automatically.”
  • [T1543.003] Create or Modify System Process: Windows Service – Register a service and execute malware automatically. “Register a service and execute malware automatically.”
  • [T1134.002] Access Token Manipulation: Create Process with Token – Manipulate access tokens to create a process. “Manipulate access tokens to create a process.”
  • [T1055] Process Injection – Use a legitimate EXE file under C:WindowsSystem32, perform NOOPDOOR process injection and execute. “Use a legitimate EXE file under C:windowsssystem32, perform NOOPDOOR process injection and execute.”
  • [T1070.001] Clear Windows Event Logs – Delete system logs. “Delete system logs.”
  • [T1070.004] File Deletion – Delete malware and tools. “Delete malware and tools.”
  • [T1562.001] Disable or Modify Tools – Disable Windows Defender. “Disable Windows Defender.”
  • [T1562.004] Disable or Modify System Firewall – Add a rule to allow communication to the ports that NOOPDOOR uses. “Add a new setting to allow communication to specific ports that NOOPDOOR uses.”
  • [T1564] Hide Artifacts – Set access restriction so that the services related to autorun NOOPDOOR are not visible. “Hide registered services.”
  • [T1003] OS Credential Dumping – Dump credentials from lsass and ntds.dit. “Dump credentials from lsass and ntds.dit.”
  • [T1087] Account Discovery – Collect account information. “Collect account information.”
  • [T1083] File and Directory Discovery – Collect file information. “Collect file information.”
  • [T1021.002] SMB/Windows Admin Shares – Spread malware to other systems via SMB. “Spread malware to other systems via SMB.”
  • [T1560.001] Archive Collected Data: Archive via Utility – Compress data with WinRAR. “Compress data witih WinRAR.”
  • [T1039] Data from Network Shared Drive – Collect data stored in Network Shared Drive. “Collect data stored in Network Shared Drive.”
  • [T1568.002] Dynamic Resolution: Domain Generation Algorithms – Change destination based on DGA. “Change destination based on DGA.”

Indicators of Compromise

  • [IP Address] Network indicators – 45.66.217.106, 89.233.109.69, and 14 more addresses (IPv4/IPv6)
  • [Hash] NOOPLDR Type1 – 93af6afb47f4c42bc0da3eedc6ecb9054134f4a47ef0add0d285404984011072, bcd34d436cbac235b56ee5b7273baed62bf385ee13721c7fdcfc00af9ed63997, and 5 more hashes
  • [Hash] NOOPLDR Type2 – 7a7e7e0d817042e54129697947dfb423b607692f4457163b5c62ffea69a8108d, 5e7cd0461817b390cf05a7c874e017e9f44eef41e053da99b479a4dfa3a04512, and 1 more hash
  • [File] File path – c:WindowsSystem32UIAnimation.xml
  • [Port] Network ports used – 443 (destination) and 47000 (TCP for commands)

Read more: https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint