Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities

ESET researchers exposed Operation LiberalFace, a MirrorFace spearphishing campaign aimed at Japanese political entities around the 2022 House of Councillors election. The operation leveraged the LODEINFO backdoor, introduced a new credential stealer MirrorStealer, and involved manual/semi-manual post‑compromise actions to exfiltrate data. #MirrorFace #LODEINFO #MirrorStealer #OperationLiberalFace #HouseOfCouncillors #Ichitaro

Keypoints

MirrorFace launched Operation LiberalFace in late June 2022 targeting Japanese political entities, with a focus on members of a specific party.
Spearphishing emails delivered the group’s backdoor backdoor LODEINFO via self-extracting WinRAR attachments.
LODEINFO was used to deliver additional malware, exfiltrate credentials, and steal documents and emails from victims.
A previously undocumented credential stealer, MirrorStealer, was deployed during the operation.
Post‑compromise activity appears to be manual or semi‑manual, including C2 commands and data exfiltration steps.
Details of the campaign were shared at AVAR 2022, with analysis suggesting MirrorFace targets in Japan and possible connections to broader Japanese‑facing espionage activity.

MITRE Techniques

[T1566.001] Phishing: Spearphishing Attachment – A malicious WinRAR SFX archive is attached to a spearphishing email. “Spearphishing email messages containing the group’s flagship backdoor LODEINFO were sent to the targets.”
[T1106] Native API – LODEINFO can execute files using the CreateProcessA API. “LODEINFO can execute files using the CreateProcessA API.”
[T1204.002] User Execution: Malicious File – Victim opening a malicious attachment sent via email. “victim opening a malicious attachment sent via email.”
[T1559.001] Inter-Process Communication: Component Object Model – LODEINFO can execute commands via Component Object Model. “LODEINFO can execute commands via Component Object Model.”
[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – LODEINFO adds an entry to the HKCU Run key to ensure persistence. “LODEINFO adds an entry to the HKCU Run key to ensure persistence.”
[T1112] Modify Registry – LODEINFO can store its configuration in the registry. “LODEINFO can store its configuration in the registry.”
[T1055] Process Injection – LODEINFO can inject shellcode into cmd.exe. “LODEINFO can inject shellcode into cmd.exe.”
[T1140] Deobfuscate/Decode Files or Information – LODEINFO loader decrypts a payload using a single-byte XOR or RC4. “LODEINFO loader decrypts a payload using a single-byte XOR or RC4.”
[T1574.002] Hijack Execution Flow: DLL Side-Loading – MirrorFace side-loads LODEINFO by dropping a malicious library and a legitimate executable (e.g., K7SysMon.exe). “MirrorFace side-loads LODEINFO by dropping a malicious library and a legitimate executable (e.g., K7SysMon.exe).”
[T1082] System Information Discovery – LODEINFO fingerprints the compromised machine. “LODEINFO fingerprints the compromised machine.”
[T1083] File and Directory Discovery – LODEINFO can obtain file and directory listings. “LODEINFO can obtain file and directory listings.”
[T1057] Process Discovery – LODEINFO can list running processes. “LODEINFO can list running processes.”
[T1033] System Owner/User Discovery – LODEINFO can obtain the victim’s username. “LODEINFO can obtain the victim’s username.”
[T1614.001] System Language Discovery – LODEINFO checks the system language to verify that it is not running on a machine set to use the English language. “LODEINFO checks the system language to verify that it is not running on a machine set to use the English language.”
[T1560.001] Archive Collected Data: Archive via Utility – Operators archive collected data using the RAR archiver. “archiving collected data using the RAR archiver.”
[T1114.001] Email Collection: Local Email Collection – Operators collecting stored email messages. “collecting stored email messages.”
[T1056.001] Input Capture: Keylogging – LODEINFO performs keylogging. “LODEINFO performs keylogging.”
[T1113] Screen Capture – LODEINFO can obtain a screenshot. “LODEINFO can obtain a screenshot.”
[T1005] Data from Local System – Operators collecting and exfiltrating data of interest. “collecting and exfiltrating data of interest.”
[T1071.001] Application Layer Protocol: Web Protocols – LODEINFO uses the HTTP protocol to communicate with its C2 server. “LODEINFO uses the HTTP protocol to communicate with its C2 server.”
[T1132.001] Data Encoding: Standard Encoding – LODEINFO uses URL-safe base64 to encode its C2 traffic. “URL-safe base64 to encode its C2 traffic.”
[T1573.001] Encrypted Channel: Symmetric Cryptography – LODEINFO uses AES-256-CBC to encrypt C2 traffic. “LODEINFO uses AES-256-CBC to encrypt C2 traffic.”
[T1001.001] Data Obfuscation: Junk Data – Second-stage LODEINFO C2 prepends junk to sent data. “prepends junk to sent data.”
[T1041] Exfiltration Over C2 Channel – LODEINFO can exfiltrate files to the C2 server. “exfiltrate files to the C2 server.”
[T1071.002] Application Layer Protocol: File Transfer Protocols – MirrorFace used SCP (pscp.exe) to exfiltrate data. “Secure Copy Protocol (SCP) to exfiltrate collected data.”
[T1486] Data Encrypted for Impact – LODEINFO can encrypt files on the victim’s machine. “Data Encrypted for Impact.”

Indicators of Compromise

[File] K7SysMn1.dll – LODEINFO loader. F4691FF3B3ACD15653684F372285CAC36C8D0AEF.
[File] K7SysMon.Exe.db – Encrypted LODEINFO. DB81C8719DDAAE40C8D9B9CA103BBE77BE4FCE6C.
[File] JsSchHlp.exe – Signed by JUSTSYSTEMS CORPORATION, with appended second-stage LODEINFO data. A8D2BE15085061B753FDEBBDB08D301A034CE1D5.
[File] JSESPR.dll – Second-stage LODEINFO loader. 0AB7BB3FF583E50FBF28B288E71D3BB57F9D1395.
[File] 31558_n.dll – MirrorStealer credential stealer. E888A552B00D810B5521002304D4F11BC249D8ED.
[IP] 5.8.95.174 – LODEINFO C2 server (G-Core Labs). First seen 2022-06-13.
[IP] 45.32.13.180 – Server for data exfiltration (AS-CHOOPA). First seen 2022-06-29.
[IP] 103.175.16.39 – LODEINFO C2 server (Gigabit Hosting). First seen 2022-06-13.
[IP] 167.179.116.56 – Second-stage LODEINFO C2 server (AS-CHOOPA). First seen 2021-10-20.
[IP] 172.105.217.233 – Second-stage LODEINFO C2 server (Linode, LLC). First seen 2021-11-14.
[Domain] www.ninesmn.com – Second-stage LODEINFO C2 server (associated with 167.179.116.56).
[Domain] www.aesorunwe.com – Second-stage LODEINFO C2 server (associated with 172.105.217.233).