Full Report
The China-linked threat actor known as MirrorFace has been attributed to a new spear-phishing campaign mainly targeting individuals and organizations in Japan since June 2024. The aim of the campaign is to deliver backdoors known as NOOPDOOR (aka HiddenFace) and ANEL (aka UPPERCUT), Trend Micro said in a technical analysis. "An interesting aspect of this campaign is the comeback of a backdoor
Analysis Summary
# Threat Actor: MirrorFace
## Attribution & Identity
* **Identification:** China-linked threat actor.
* **Aliases/Associated Groups:** MirrorFace, Earth Kasha. Assessed to be a sub-cluster within APT10.
* **Historical Association:** Previously used the ANEL backdoor in campaigns targeting Japan until around 2018.
## Activity Summary
Since June 2024, MirrorFace has been conducting a new spear-phishing campaign primarily targeting individuals and organizations in Japan. This campaign marks a shift in tactics, moving away from 2023 activities that focused on exploiting security flaws in edge devices (Array Networks and Fortinet). The motivation appears to be cyber espionage focused on topics related to Japan's national security and international relations, suggesting a focus on high-value individuals rather than just enterprises. The adversaries distribute lures related to interview requests and Japan's economic security concerning U.S.-China relations.
## Tactics, Techniques & Procedures
* **Initial Access:** Spear-phishing emails, containing links leading to Microsoft OneDrive to download ZIP archives.
* **Delivery Mechanisms (Infection Vectors):**
* Macro-enabled Word documents.
* Windows shortcut files (.LNK) executing a Self-Extracting Archive (SFX), which loads a macro-enabled template document.
* Windows shortcut files executing PowerShell to drop an embedded cabinet archive, which loads a macro-enabled template document.
* **Execution/Droppers:** Malicious droppers named ROAMINGMOUSE are used to deliver components for ANEL.
* **Malware Staging:** Use of a loader named ANELLDR to execute the ANEL backdoor in memory via DLL side-loading after decryption.
* **Evasion:** Incorporates techniques to hide malware components and challenge security detection capabilities.
* **Lateral Movement/Secondary Deployment:** Use of the primary backdoor to collect information and selectively deploy the NOOPDOOR backdoor against high-interest targets.
## Targeting
* **Sectors:** Organizations and individuals involved in areas related to Japan's national security and international relations (e.g., researchers).
* **Geography:** Japan.
* **Victims:** Individuals and organizations within Japan. The campaign was also documented targeting a diplomatic organization in the European Union last month using World Expo lures.
## Tools & Infrastructure
* **Malware Families Used:**
* **ANEL (aka UPPERCUT):** An updated 32-bit HTTP-based implant (originally active 2017-2018) capable of capturing screenshots, file upload/download, running remote commands, and now includes a module to run programs with elevated privileges.
* **NOOPDOOR (aka HiddenFace):** Deployed selectively against targets of special interest.
* **ROAMINGMOUSE:** Macro-enabled Word document component acting as the initial dropper.
* **ANELLDR:** Loader module specifically designed to execute ANEL in memory via DLL side-loading.
* **Infrastructure:** Delivery method heavily relies on links to **Microsoft OneDrive**. (No specific IP/Domain infrastructure was explicitly listed as being used for C2 in the summary provided).
## Implications
MirrorFace/Earth Kasha's return to using legacy, sophisticated malware like ANEL, adapted for targeted spear-phishing against individuals, suggests a focused, high-value espionage objective against politically sensitive topics in Japan. The focus on individual targets (like researchers) exploits potential weaknesses where organizational endpoint security might be less stringent than enterprise defenses.
## Mitigations
* Maintain basic endpoint security hygiene.
* Exercise extreme caution regarding opening files or clicking links contained in suspicious emails, especially if they relate to sensitive topics like job interviews or specific geopolitical matters.
* Ensure robust anti-malware protection and behavioral monitoring capable of detecting DLL side-loading and macro execution chains.