Full Report
ESET researchers uncovered MirrorFace activity that expanded beyond its usual focus on Japan and targeted a Central European diplomatic institute with the ANEL backdoor
Analysis Summary
# Threat Actor: MirrorFace (Subgroup of APT10)
## Attribution & Identity
China-aligned threat actor, also known as **Earth Kasha**. Recently re-attributed as a subgroup under the **APT10** umbrella due to shared TTPs and malware reintroduction (ANEL). Active since at least 2019.
## Activity Summary
The latest activity, dubbed **Operation AkaiRyū** (observed in Q2 and Q3 2024), involved cyberespionage targeting a Central European diplomatic institute in relation to upcoming Expo 2025 in Osaka, Japan. This marks the first known targeting of a European entity by MirrorFace, although prior activity outside Japan has been reported in Taiwan, India, and Vietnam. Operations typically start with spearphishing emails leading to malicious attachments. The core focus remains espionage and exfiltration of specific files.
## Tactics, Techniques & Procedures
The actor demonstrated refreshed tooling and TTPs in 2024:
- **Initial Access:** Spearphishing emails with malicious attachments.
- **Execution:** Introduction of a complex execution chain used to run new malware inside Windows Sandbox.
- **Backdoors/Malware:**
- Deployment of a heavily customized variant of **AsyncRAT**.
- Resurrection and use of the **ANEL** backdoor, previously considered exclusive to APT10.
- Continuation of known tool usage: **LODEINFO** and **HiddenFace** backdoors were previously associated with this group.
- **Discovery/System Enumeration:**
- `csvde` used to export data from Active Directory Domain Services (T1087.002).
- Gathered system information, time, and running processes (T1082, T1057, T1124).
- Determined the currently logged-in user (T1033).
- **Collection:**
- Collection of clipboard data (T1115).
- Ability to take screenshots (ANEL) (T1113).
- **Command and Control (C2):**
- ANEL uses HTTP for C2 communication (T1071.001).
- ANEL encodes data using base64 (T1132.001).
- HiddenFace uses Junk Data (T1001.001) and Dynamic Resolution/DGA for C2 domains (T1568.002).
- Communication over encrypted channels (T1573).
- **Exfiltration:**
- Exfiltration over C2 channel (T1041).
- Data splitting/chunking upon operator request (T1030).
## Targeting
- **Sectors:** Diplomatic organizations, media, defense-related companies, think tanks, financial institutions, academic institutions, and manufacturers.
- **Geography:** Primarily Japan, but also observed targeting entities in Taiwan, India, and Vietnam. The latest activity involved a **Central European diplomatic institute**.
- **Victims:** A Central European diplomatic institute (August 2024 context).
## Tools & Infrastructure
- **Malware families used:** Customized **AsyncRAT** variant, **ANEL** (UPPERCUT), **LODEINFO**, **HiddenFace**.
- **Infrastructure:** Uses Domain Generation Algorithms (DGA) for C2 domain names (HiddenFace). (No specific domains/IPs were provided in the context to defang).
## Implications
MirrorFace is evolving its tooling, indicating active development cycles, potentially leveraging resources from the broader APT10 network (evidenced by the use of ANEL). Their expansion into European targets, linked to high-profile global events like Expo 2025, suggests a widening intelligence collection scope beyond their traditional focus on Japan. The use of Windows Sandbox evasion/execution showcases efforts to complicate forensic analysis.
## Mitigations
- Enhance spearphishing detection, especially using lures related to international events or diplomatic matters.
- Monitor network traffic for communications utilizing ANEL or AsyncRAT command structures (potentially over HTTP/Obfuscated channels).
- Investigate and potentially block activity related to Windows Sandbox execution anomalies.
- Review historical lateral movement and discovery activities, particularly looking for use of utility tools like `csvde` for AD enumeration.