Overview of MirrorFace’s Campaign
The China-linked cyber threat actor MirrorFace (aka Earth Kasha) has launched a new spear-phishing campaign against individuals and organizations in Japan since June 2024. The attack leverages two advanced backdoors: ANEL (aka UPPERCUT) and NOOPDOOR (aka HiddenFace), according to a detailed report from Trend Micro.
This campaign marks the return of the ANEL backdoor, previously used by APT10 in operations against Japanese entities until 2018. Its resurgence demonstrates MirrorFace’s evolving tactics and persistent focus on cyber espionage targeting Japan's national security and international relations.
New Tactics and Methods
Unlike the group’s 2023 campaigns, which exploited vulnerabilities in edge devices from Array Networks and Fortinet, this operation relies on spear-phishing emails. These emails are specifically tailored to single out individuals, such as researchers and professionals, who may lack the robust security defenses of large enterprises.
The phishing emails, sent from compromised or free email accounts, include links to booby-trapped ZIP archives hosted on Microsoft OneDrive. These lures are disguised as:
- Interview requests.
- Topics on Japan’s economic security.
- U.S.-China relations.
The ZIP files contain one of three infection vectors:
- Macro-enabled Word documents.
- Windows shortcut files that execute a self-extracting archive (SFX).
- Windows shortcut files running PowerShell scripts to drop an embedded CAB archive with a macro-enabled template document.
Once opened, the documents act as droppers for malware components, including the ROAMINGMOUSE dropper, which deploys ANEL.
Technical Details of ANEL and NOOPDOOR Backdoors
ANEL Backdoor
ANEL, a 32-bit HTTP-based implant, was actively developed from 2017 to 2018 for:
- Capturing screenshots.
- Uploading/downloading files.
- Executing commands via cmd.exe.
- Running executables.
The 2024 version includes an upgraded command for executing programs with elevated privileges. It is delivered through a multi-stage process, including the use of DLL side-loading to decrypt and run the backdoor directly in memory, bypassing detection.
NOOPDOOR Backdoor
The NOOPDOOR implant is selectively deployed against high-value targets to:
- Collect sensitive data from infected systems.
- Enable additional surveillance and exploitation activities.
Targeting Individuals vs. Organizations
MirrorFace has shifted its focus from enterprise-level targets to individuals, such as researchers. These targets often employ varying levels of security, making them more vulnerable to social engineering attacks.
“The attackers are particularly interested in topics related to Japan's national security and international relations, as evidenced by the lure themes,” noted security researcher Hara Hiroaki.
Mitigation and Recommendations
The resurgence of ANEL and NOOPDOOR highlights the importance of maintaining strong cybersecurity practices:
- Avoid opening attachments or clicking on links in suspicious emails.
- Regularly update software and operating systems to patch vulnerabilities.
- Use advanced email filtering solutions to detect and block spear-phishing attempts.
- Deploy endpoint detection and response (EDR) tools to identify and mitigate malware.