Full Report
According to ESET APT Activity Report Q2 2024-Q3 2024, China-linked threat groups dominate global APT campaigns, with MustangPanda responsible for 12% of activity during the observed quarters of 2024. Another nefarious China-backed APT group tracked as MirrorFace (aka Earth Kasha) has been observed expanding its geographical reach to target the diplomatic agency in the EU […] The post Operation AkaiRyū Attacks Detection: China-Backed MirrorFace APT Targets Central European Diplomatic Institute Using ANEL Backdoor appeared first on SOC Prime.
Analysis Summary
# Threat Actor: MirrorFace (China-Backed APT)
## Attribution & Identity
* **Identification:** China-Backed Advanced Persistent Threat (APT) group.
* **Known Aliases/Associations:** Associated with "Operation AkaiRyū" attacks.
## Activity Summary
The group conducted Operation AkaiRyū, which targeted a Central European Diplomatic Institute. The initial compromise involved using the ANEL backdoor (v5.5.5) to establish a foothold. The operation focused on cyber-espionage, characterized by the group strengthening operational security by erasing evidence of their actions.
## Tactics, Techniques & Procedures
* **Initial Access/Execution:** Used the ANEL backdoor (v5.5.5) to gain initial access.
* **Persistence/Command and Control:** Employed a custom remote access trojan alongside ANEL.
* **Defense Evasion/Analysis Complication:**
* Erasing evidence (deleting tools and files).
* Clearing Windows event logs.
* Running malware within **Windows Sandbox** to complicate investigations.
* **Other TTPs:** Adopted highly modified versions of malware.
## Targeting
* **Sectors:** Diplomatic (specifically mentioned targeting a Diplomatic Institute).
* **Geography:** Central Europe (specific victim located here).
* **Victims:** A Central European Diplomatic Institute.
## Tools & Infrastructure
* **Malware Families Used:**
* ANEL backdoor (v5.5.5).
* Highly modified **AsyncRAT**.
* Custom malware/Remote Access Trojans.
* **Infrastructure:**
* Use of **VS Code remote tunnels**.
* Use of **Windows Sandbox** (as an execution environment, not strictly infrastructure, but relevant to TTPs).
## Implications
MirrorFace is actively engaged in cyber-espionage targeting sensitive governmental/diplomatic entities in Europe. Their adoption of tools that complicate analysis, such as leveraging Windows Sandbox and robust clean-up mechanisms, indicates a mature and well-resourced operation requiring significant vigilance from defenders.
## Mitigations
* Boost vigilance against evolving APT campaigns.
* Focus defense efforts on detecting the use of ANEL and modified AsyncRAT.
* Monitor for anomalous activity related to Windows Sandbox execution or attempts to clear Windows event logs to detect operational security measures.