In August 2024, ESET researchers detected cyberespionage exercise carried out by the China-aligned MirrorFace superior persistent risk (APT) group towards a Central European diplomatic institute in relation to Expo 2025, which will likely be held in Osaka, Japan.
Recognized primarily for its cyberespionage actions towards organizations in Japan, to the most effective of our information, that is the primary time MirrorFace supposed to infiltrate a European entity. The marketing campaign, which we uncovered in Q2 and Q3 of 2024 and named Operation AkaiRyū (Japanese for RedDragon), showcases refreshed techniques, methods, and procedures (TTPs) that we noticed all through 2024: the introduction of recent instruments (corresponding to a personalized AsyncRAT), the resurrection of ANEL, and a fancy execution chain.
On this blogpost, we current particulars of the Operation AkaiRyū assaults and findings from our investigation of the diplomatic institute case, together with information from our forensic evaluation. ESET Analysis offered the outcomes of this evaluation on the Joint Safety Analyst Convention (JSAC) in January 2025.
Key factors of this blogpost:
MirrorFace has refreshed its TTPs and tooling.
MirrorFace has began utilizing ANEL, a backdoor beforehand related completely with APT10.
MirrorFace has began deploying a closely personalized variant of AsyncRAT, utilizing a fancy execution chain to run it inside Home windows Sandbox.
To our information, MirrorFace focused a European entity for the primary time.
We collaborated with the affected Central European diplomatic institute and carried out a forensic investigation.
The findings obtained throughout that investigation have offered us with higher perception into MirrorFace’s post-compromise actions.
MirrorFace profile
MirrorFace, also referred to as Earth Kasha, is a China-aligned risk actor till now virtually completely concentrating on corporations and organizations in Japan but in addition some situated elsewhere which have relationships with Japan. As defined on this blogpost, we now think about MirrorFace to be a subgroup beneath the APT10 umbrella. MirrorFace has been energetic since no less than 2019 and has been reported to focus on media, defense-related corporations, suppose tanks, diplomatic organizations, monetary establishments, tutorial establishments, and producers. In 2022, we found a MirrorFace spearphishing marketing campaign concentrating on Japanese political entities.
MirrorFace focuses on espionage and exfiltration of information of curiosity; it’s the solely group identified to make use of the LODEINFO and HiddenFace backdoors. Within the 2024 actions analyzed on this blogpost, MirrorFace began utilizing APT10’s former signature backdoor, ANEL, in its operations as properly.
Overview
Very similar to earlier MirrorFace assaults, Operation AkaiRyū started with rigorously crafted spearphishing emails designed to entice recipients to open malicious attachments. Our findings recommend that regardless of this group’s foray past the borders of its ordinary searching floor, the risk actor nonetheless maintains a robust give attention to Japan and occasions tied to the nation. Nonetheless, this isn’t the primary time MirrorFace has been reported to function exterior of Japan: Pattern Micro and the Vietnamese Nationwide Cyber Safety Heart (doc in Vietnamese) reported on such circumstances in Taiwan, India, and Vietnam.
ANEL’s comeback
Throughout our evaluation of Operation AkaiRyū, we found that MirrorFace has considerably refreshed its TTPs and tooling. MirrorFace began utilizing ANEL (additionally known as UPPERCUT) – a backdoor thought-about unique to APT10 – which is stunning, because it was believed that ANEL was deserted across the finish of 2018 or the beginning of 2019 and that LODEINFO succeeded it, showing later in 2019. The small distinction in model numbers between 2018 and 2024 ANELs, 5.5.0 and 5.5.4, and the truth that APT10 used to replace ANEL each few months, strongly recommend that the event of ANEL has restarted.
Using ANEL additionally supplies additional proof within the ongoing debate concerning the potential connection between MirrorFace and APT10. The truth that MirrorFace has began utilizing ANEL, and the opposite beforehand identified info, corresponding to related concentrating on and malware code similarities, led us to make a change in our attribution: we now imagine that MirrorFace is a subgroup beneath the APT10 umbrella. This attribution change aligns our pondering with different researchers who already think about MirrorFace to be part of APT10, corresponding to these at Macnica (report in Japanese), Kaspersky, ITOCHU Cyber & Intelligence Inc., and Cybereason. Others, as at Pattern Micro, as of now nonetheless think about MirrorFace to be solely probably associated to APT10.
First use of AsyncRAT and Visible Studio Code by MirrorFace
In 2024, MirrorFace additionally deployed a closely personalized variant of AsyncRAT, embedding this malware right into a newly noticed, intricate execution chain that runs the RAT inside Home windows Sandbox. This technique successfully obscures the malicious actions from safety controls and hamstrings efforts to detect the compromise.
In parallel to the malware, MirrorFace additionally began deploying Visible Studio Code (VS Code) to abuse its distant tunnels function. Distant tunnels allow MirrorFace to determine stealthy entry to the compromised machine, execute arbitrary code, and ship different instruments. MirrorFace just isn’t the one APT group abusing VS Code: Tropic Trooper and Mustang Panda have additionally been reported utilizing it of their assaults.
Moreover, MirrorFace continued to make use of its present flagship backdoor, HiddenFace, additional bolstering persistence on compromised machines. Whereas ANEL is utilized by MirrorFace because the first-line backdoor, proper after the goal has been compromised, HiddenFace is deployed within the later levels of the assault. It’s also value noting that in 2024 we didn’t observe any use of LODEINFO, one other backdoor used completely by MirrorFace.
Forensic evaluation of the compromise
We contacted the affected institute to tell them concerning the assault and to scrub up the compromise as quickly as potential. The institute collaborated carefully with us throughout and after the assault, and moreover offered us with the disk photos from the compromised machines. This enabled us to carry out forensic analyses on these photos and uncover additional MirrorFace exercise.
ESET Analysis offered extra technical particulars about ANEL’s return to ESET Menace Intelligence prospects on September 4th, 2024. Pattern Micro revealed their findings on then-recent MirrorFace actions on October twenty first, 2024 in Japanese and on November twenty sixth, 2024 in English: these overlap with Operation AkaiRyū and likewise point out the return of the ANEL backdoor. Moreover, in January 2025, the Japanese Nationwide Police Company (NPA) revealed a warning about MirrorFace actions to organizations, companies, and people in Japan. Operation AkaiRyū corresponds with Marketing campaign C, as talked about within the Japanese model of NPA’s warning. Nonetheless, NPA mentions the concentrating on of Japanese entities completely – people and organizations primarily associated to academia, suppose tanks, politics, and the media.
Along with Pattern Micro’s report and NPA’s warning, we offer an unique evaluation of MirrorFace post-compromise actions, which we had been capable of observe because of the shut cooperation of the affected group. This contains the deployment of a closely personalized AsyncRAT, abuse of VS Code distant tunnels, and particulars on the execution chain that runs malware inside Home windows Sandbox to keep away from detection and conceal the carried out actions.
On this blogpost, we cowl two distinct circumstances: a Central European diplomatic institute and a Japanese analysis institute. Despite the fact that MirrorFace’s general strategy is similar in each circumstances, there are notable variations within the preliminary entry course of; therefore we describe them each.
Technical evaluation
Between June and September 2024, we noticed MirrorFace conducting a number of spearphishing campaigns. Based mostly on our information, the attackers primarily gained preliminary entry by tricking targets into opening malicious attachments or hyperlinks, then they leveraged professional purposes and instruments to stealthily set up their malware.
Preliminary entry
We weren’t capable of decide the preliminary assault vector for all of the circumstances noticed in 2024. Nonetheless, primarily based on the info out there to us, we assume that spearphishing was the one assault vector utilized by MirrorFace. The group impersonates trusted organizations or people to persuade recipients to open paperwork or click on hyperlinks. The next findings on preliminary entry align with these within the Pattern Micro article, though they don’t seem to be totally the identical.
Particularly, in Operation AkaiRyū, MirrorFace abused each McAfee-developed purposes and likewise one developed by JustSystems to run ANEL. Whereas Pattern Micro reported Home windows Administration Instrumentation (WMI) and explorer.exe because the execution proxy pair for ANEL, we unearthed one other pair: WMI and wlrmdr.exe (Home windows logon reminder). We additionally present an e mail dialog between a disguised MirrorFace operator and a goal.
Case 1: Japanese analysis institute
On June twentieth, 2024, MirrorFace focused two workers of a Japanese analysis institute, utilizing a malicious, password-protected Phrase doc delivered in an unknown method.
The paperwork triggered VBA code on a easy mouseover occasion – the malicious code was triggered by transferring the mouse over textual content packing containers positioned within the doc. It then abused a signed McAfee executable to load ANEL (model 5.5.4) into reminiscence. The compromise chain is depicted in Determine 1.
Determine 1. Compromise chain noticed in June 2024
Case 2: Central European diplomatic institute
On August twenty sixth, 2024, MirrorFace focused a Central European diplomatic institute. To our information, that is the primary, and, to this point, solely time MirrorFace has focused an entity in Europe.
MirrorFace operators arrange their spearphishing assault by crafting an e mail message (proven in Determine 2) that references a earlier, professional interplay between the institute and a Japanese NGO. The professional interplay was in all probability obtained from a earlier marketing campaign. As will be seen, this spearphishing arrange message refers back to the upcoming Expo 2025 exhibition, an occasion that will likely be held in Japan.
Determine 2. The primary e mail despatched to the goal
This primary e mail was innocent, however as soon as the goal responded, MirrorFace operators despatched an e mail message with a malicious OneDrive hyperlink resulting in a ZIP archive with a LNK file disguised as a Phrase doc named The EXPO Exhibition in Japan in 2025.docx.lnk. This second message is proven in Determine 3. Utilizing this strategy, MirrorFace hid the payload till the goal was engaged within the spearphishing scheme.
Determine 3. Second e mail despatched by MirrorFace, containing a hyperlink to a malicious ZIP archive hosted on OneDrive
As soon as opened, the LNK file launches a fancy compromise chain, depicted in Determine 4 and Determine 5.
Determine 4 . First a part of the compromise chain
Determine 5. Second a part of the compromise chain
The LNK file runs cmd.exe with a set of PowerShell instructions to drop extra information, together with a malicious Phrase file, tmp.docx, which masses a malicious Phrase template, normal_.dotm, containing VBA code. The contents of the Phrase doc tmp.docx are depicted in Determine 6, and doubtless are supposed to behave as a decoy, whereas malicious actions are operating within the background.
Determine 6. Contents of the misleading tmp.docx doc proven to the goal
The VBA code extracts a legitimately signed utility from JustSystems Company to side-load and decrypt the ANEL backdoor (model 5.5.5). This gave MirrorFace a foothold to start post-compromise operations.
Toolset
In Operation AkaiRyū, MirrorFace relied not solely on its customized malware, but in addition on numerous instruments and a personalized variant of a publicly out there distant entry trojan (RAT).
ANEL
ANEL (also referred to as UPPERCUT) is a backdoor that was beforehand related completely with APT10. In 2024, MirrorFace began utilizing ANEL as its first-line backdoor. ANEL’s growth, till 2018, was described most just lately in Secureworks’ JSAC 2019 presentation. The ANEL variants noticed in 2024 had been publicly described by Pattern Micro.
ANEL is a backdoor, solely discovered on disk in an encrypted type, and whose decrypted DLL type is just ever present in reminiscence as soon as a loader has decrypted it in preparation for execution. ANEL communicates with its C&C server over HTTP, the place the transmitted information is encrypted to guard it in case the communication is being captured. ANEL helps fundamental instructions for file manipulation, payload execution, and taking a screenshot.
ANELLDR
ANELLDR is a loader completely used to decrypt the ANEL backdoor and run it in reminiscence. Pattern Micro described ANELLDR of their article.
HiddenFace
HiddenFace is MirrorFace’s present flagship backdoor, with a heavy give attention to modularity; we described it intimately on this JSAC 2024 presentation.
FaceXInjector
FaceXInjector is a C# injection instrument saved in an XML file, compiled and executed by the Microsoft MSBuild utility, and used to completely execute HiddenFace. We described FaceXInjector in the identical JSAC 2024 presentation devoted to HiddenFace.
AsyncRAT
AsyncRAT is a RAT publicly out there on GitHub. In 2024, we detected that MirrorFace began utilizing a closely personalized AsyncRAT within the later levels of its assaults. The group ensures AsyncRAT’s persistence by registering a scheduled job that executes at machine startup; as soon as triggered, a fancy chain (depicted in Determine 7) launches AsyncRAT inside Home windows Sandbox, which should be manually enabled and requires a reboot. We had been unable to find out how MirrorFace allows this function.
Determine 7. AsyncRAT execution chain
The next information are delivered to the compromised machine so as to efficiently execute AsyncRAT:
7z.exe – professional 7-Zip executable.
7z.dll – professional 7-Zip library.
.7z – password-protected 7z archive containing AsyncRAT, named setup.exe.
.bat – batch script that unpacks AsyncRAT and runs it.
.wsb – Home windows Sandbox configuration file to run .bat.
The triggered scheduled job executes Home windows Sandbox with .wsb as a parameter. This file comprises configuration information for the sandbox; see Determine 8.
Determine 8. Contents of a Home windows Sandbox config file utilized by MirrorFace
Specifically, the config file defines whether or not to allow networking and listing mapping, the devoted reminiscence dimension, and the command to execute on launch. Within the file proven in Determine 8, a batch file situated within the sandbox folder is executed. The batch file extracts AsyncRAT from the 7z archive, then creates and launches a scheduled job that executes AsyncRAT each hour.
The AsyncRAT variant utilized by MirrorFace is closely personalized. The next are the primary options and modifications launched by MirrorFace:
Pattern tagging – AsyncRAT will be compiled for a selected sufferer and MirrorFace can add a tag to the configuration to mark the pattern. If the tag just isn’t specified, the machine’s NetBIOS title is used because the tag. This tag is additional utilized in different launched options as properly.
Connection to a C&C server by way of Tor – MirrorFace’s AsyncRAT can obtain and begin a Tor shopper, and proxy its communication with a C&C server by the shopper. AsyncRAT selects this selection provided that the hardcoded C&C domains finish with .onion. This strategy was chosen in each samples we noticed throughout the investigation of Case 2: Central European diplomatic institute.
Area era algorithm (DGA) – An alternative choice to utilizing Tor, this variant can use a DGA to generate a C&C area. The DGA may generate machine-specific domains utilizing the aforementioned tag. Word that HiddenFace additionally makes use of a DGA with the opportunity of producing machine-specific domains, though the DGA utilized in HiddenFace differs from the AsyncRAT one.
Working time – Earlier than connecting to a C&C server, AsyncRAT checks whether or not the present hour and day of the week are inside working hours and days outlined within the configuration. Word that MirrorFace’s AsyncRAT shares this function with HiddenFace as properly.
Visible Studio Code distant tunnels
Visible Studio Code is a free source-code editor developed by Microsoft. Visible Studio Code’s distant growth function, distant tunnels, permits builders to run Visible Studio Code domestically and hook up with a growth machine that hosts the supply code and debugging setting. Menace actors can misuse this to realize distant entry, execute code, and ship instruments to a compromised machine. MirrorFace has been doing so since 2024; nevertheless, it isn’t the one APT group that has used such distant tunnels: different China-aligned APT teams corresponding to Tropic Trooper and Mustang Panda have additionally used them of their assaults.
Submit-compromise actions
Our investigation into Case 2: Central European diplomatic institute uncovered a few of MirrorFace’s post-compromise actions. By shut collaboration with the institute, we gained higher perception into the malware and instruments deployed by MirrorFace, as seen in Desk 1.
Word that the malware and instruments are ordered within the desk for simpler comparability of what was deployed on every of the 2 recognized compromised machines however doesn’t replicate how they had been deployed chronologically.
Desk 1. Malware and instruments deployed by MirrorFace all through the assault
Instruments
Notes
Machine A
Machine B
ANEL
APT10’s backdoor that MirrorFace makes use of as a first-line backdoor.
●
●
PuTTY
An open-source terminal emulator, serial console, and community file switch utility.
●
●
VS Code
A code editor developed by Microsoft.
●
●
HiddenFace
MirrorFace’s flagship backdoor.
●
●
Second HiddenFace variant
MirrorFace’s flagship backdoor.
●
AsyncRAT
RAT publicly out there on GitHub.
●
●
Hidden Begin
A instrument that can be utilized to bypass UAC, cover Home windows consoles, and run applications within the background.
●
csvde
Reliable Microsoft instrument out there on Home windows servers that imports and exports information from Lively Listing Area Companies (AD DS).
●
Rubeus
Toolset for Kerberos interplay and abuse, publicly out there on GitHub.
●
frp
Quick reverse proxy publicly out there on GitHub.
●
Unknown instrument
Disguised beneath the title oneuu.exe. We had been unable to recuperate the instrument throughout our evaluation.
●
The group selectively deployed post-compromise instruments in line with its targets and the goal’s setting. Machine A belonged to a challenge coordinator and Machine B to an IT worker. The info out there to us means that MirrorFace stole private information from Machine A and sought deeper community entry on Machine B, aligning the assumed targets with the staff’ roles.
Day 0 – August twenty seventh, 2024
MirrorFace operators despatched an e mail with a malicious hyperlink on August twenty sixth, 2024 to the institute’s CEO. Nonetheless, for the reason that CEO didn’t have entry to a machine operating Home windows, the CEO forwarded the e-mail to 2 different workers. Each opened the dangerous LNK file, The EXPO Exhibition in Japan in 2025.docx.lnk, the subsequent day, compromising two institute machines and resulting in the deployment of ANEL. Thus, we think about August twenty seventh, 2024, as Day 0 of the compromise. No extra exercise was noticed past this foothold institution.
Day 1 – August twenty eighth, 2024
The following day, MirrorFace returned and continued with its actions. The group deployed a number of instruments for entry, management, and file supply on each compromised machines. Among the many instruments deployed had been PuTTY, VS Code, and HiddenFace – MirrorFace’s present flagship backdoor. On Machine A, MirrorFace additionally tried to deploy the instrument Hidden Begin. On Machine B, the actor moreover deployed csvde and the personalized variant of AsyncRAT.
Day 2 – August twenty ninth, 2024
On Day 2, MirrorFace was energetic on each machines. This included deploying extra instruments. On Machine A, MirrorFace deployed a second occasion of HiddenFace. On Machine B, VS Code’s distant tunnel, HiddenFace, and AsyncRAT had been executed. Moreover these, MirrorFace additionally deployed and executed frp and Rubeus by way of HiddenFace. That is the final day on which we noticed any MirrorFace exercise on Machine B.
Day 3 – August thirtieth, 2024
MirrorFace remained energetic solely on Machine A. The institute, having began assault mitigation measures on August twenty ninth, 2024, might need prevented additional MirrorFace exercise on Machine B. On Machine A, the group deployed AsyncRAT and tried to keep up persistence by registering a scheduled job.
Day 6 – September 2nd, 2024
Over the weekend, i.e., on August thirty first and September 1st, 2024, Machine A was inactive. On Monday, September 2nd, 2024, Machine A was booted and with it MirrorFace’s exercise resumed as properly. The principle occasion of Day 6 was that the group exported Google Chrome’s internet information corresponding to contact info, key phrases, autofill information, and saved bank card info right into a SQLite database file. We had been unable to find out how MirrorFace exported the info, and whether or not or how the info was exfiltrated.
Conclusion
In 2024, MirrorFace refreshed its TTPs and tooling. It began utilizing ANEL – believed to have been deserted round 2018/2019 – as its first-line backdoor. Mixed with different info, we conclude that MirrorFace is a subgroup beneath the APT10 umbrella. Moreover ANEL, MirrorFace has additionally began utilizing different instruments corresponding to a closely personalized AsyncRAT, Home windows Sandbox, and VS Code distant tunnels.
As part of Operation AkaiRyū, MirrorFace focused a Central European diplomatic institute – to the most effective of our information, that is the primary time the group has attacked an entity in Europe – utilizing the identical refreshed TTPs seen throughout its 2024 campaigns. Throughout this assault, the risk actor used the upcoming World Expo 2025 – to be held in Osaka, Japan – as a lure. This reveals that even contemplating this new broader geographic concentrating on, MirrorFace stays targeted on Japan and occasions associated to it.
Our shut collaboration with the affected group offered a uncommon, in-depth view of post-compromise actions that will have in any other case gone unseen. Nonetheless, there are nonetheless numerous lacking items of the puzzle to attract a whole image of the actions. One of many causes is MirrorFace’s improved operational safety, which has grow to be extra thorough and hinders incident investigations by deleting the delivered instruments and information, clearing Home windows occasion logs, and operating malware in Home windows Sandbox.
For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis provides non-public APT intelligence stories and information feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.
IoCs
A complete checklist of indicators of compromise (IoCs) and samples will be present in our GitHub repository.
Information
SHA-1
Filename
Detection
Description
018944FC47EE2329B23B74DA31B19E57373FF539
3b3cabc5
Win32/MirrorFace.A
AES-encrypted ANEL.
68B72DA59467B1BB477D0C1C5107CEE8D9078E7E
vsodscpl.dll
Win32/MirrorFace.A
ANELLDR.
02D32978543B9DD1303E5B020F52D24D5EABA52E
AtokLib.dll
Win32/MirrorFace.A
ANELLDR.
2FB3B8099499FEE03EA7064812645AC781AFD502
CodeStartUser.bat
Win32/MirrorFace.A
Malicious batch file.
9B2B9A49F52B37927E6A9F4D6DDB180BE8169C5F
erBkVRZT.bat
Win32/MirrorFace.A
Malicious batch file.
AB65C08DA16A45565DBA930069B5FC5A56806A4C
useractivitybroker.xml
Win32/ FaceXInjector.A
FaceXInjector.
875DC27963F8679E7D8BF53A7E69966523BC36BC
temp.log
Win32/MirrorFace.A
Malicious CAB file.
694B1DD3187E876C5743A0E0B83334DBD18AC9EB
tmp.docx
Win32/MirrorFace.A
Decoy Phrase doc loading malicious template normal_.dotm.
F5BA545D4A16836756989A3AB32F3F6C5D5AD8FF
normal_.dotm
Win32/MirrorFace.A
Phrase template with malicious VBA code.
233029813051D20B61D057EC4A56337E9BEC40D2
The EXPO Exhibition in Japan in 2025.docx.lnk
Win32/MirrorFace.A
Malicious LNK file.
8361F7DBF81093928DA54E3CBC11A0FCC2EEB55A
The EXPO Exhibition in Japan in 2025.zip
Win32/MirrorFace.A
Malicious ZIP archive.
1AFDCE38AF37B9452FB4AC35DE9FCECD5629B891
NK9C4PH_.zip
Win32/MirrorFace.A
Malicious ZIP archive.
E3DA9467D0C89A9312EA199ECC83CDDF3607D8B1
N/A
MSIL/Riskware.Rubeus.A
Rubeus instrument.
D2C25AF9EE6E60A341B0C93DD97566FB532BFBE8
Tk4AJbXk.wsb
Win32/MirrorFace.A
Malicious Home windows Sandbox configuration file.
Community
IP
Area
Internet hosting supplier
First seen
Particulars
N/A
vu4fleh3yd4ehpfpciinnwbnh4b77rdeypubhqr2dgfibjtvxpdxozid(.)onion
N/A
2024‑08‑28
MirrorFace’s AsyncRAT C&C server.
N/A
u4mrhg3y6jyfw2dmm2wnocz3g3etp2xc5thzx77uelk7mrk7qtjmc6qd(.)onion
N/A
2024‑08‑28
MirrorFace’s AsyncRAT C&C server.
45.32.116(.)146
N/A
The Fixed Firm, LLC
2024‑08‑27
ANEL C&C server.
64.176.56(.)26
N/A
The Fixed Firm, LLC
N/A
Distant server for FRP shopper.
104.233.167(.)135
N/A
PEG-TKY1
2024‑08‑27
HiddenFace C&C server.
152.42.202(.)137
N/A
DigitalOcean, LLC
2024‑08‑27
HiddenFace C&C server.
208.85.18(.)4
N/A
The Fixed Firm, LLC
2024‑08‑27
ANEL C&C server.
MITRE ATT&CK methods
This desk was constructed utilizing model 16 of the MITRE ATT&CK framework.
Tactic
ID
Identify
Description
Useful resource Growth
T1587.001
Develop Capabilities: Malware
MirrorFace has developed customized instruments corresponding to HiddenFace.
T1585.002
Set up Accounts: E mail Accounts
MirrorFace created a Gmail account and used it to ship a spearphishing e mail.
T1585.003
Set up Accounts: Cloud Accounts
MirrorFace created a OneDrive account to host malicious information.
T1588.001
Acquire Capabilities: Malware
MirrorFace utilized and customised a publicly out there RAT, AsyncRAT, for its operations.
T1588.002
Acquire Capabilities: Instrument
MirrorFace utilized Hidden Begin in its operations.
Preliminary Entry
T1566.002
Phishing: Spearphishing Hyperlink
MirrorFace despatched a spearphishing e mail with a malicious OneDrive hyperlink.
Execution
T1053.005
Scheduled Process/Job: Scheduled Process
MirrorFace used scheduled duties to execute HiddenFace and AsyncRAT.
T1059.001
Command-Line Interface: PowerShell
MirrorFace used PowerShell instructions to run Visible Studio Code’s distant tunnels.
T1059.003
Command-Line Interface: Home windows Command Shell
MirrorFace used the Home windows command shell to make sure persistence for HiddenFace.
T1204.001
Person Execution: Malicious Hyperlink
MirrorFace relied on the goal to obtain a malicious file from a shared OneDrive hyperlink.
T1204.002
Person Execution: Malicious File
MirrorFace relied on the goal to run a malicious LNK file that deploys ANEL.
T1047
Home windows Administration Instrumentation
MirrorFace used WMI as an execution proxy to run ANEL.
Persistence
T1547.001
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
ANEL makes use of one of many startup directories for persistence.
T1574.001
Hijack Execution Circulate: DLL Search Order Hijacking
MirrorFace side-loads ANEL by dropping a malicious library and a professional executable (e.g., ScnCfg32.Exe)
Protection Evasion
T1027.004
Obfuscated Information or Data: Compile After Supply
FaceXInjector is compiled on each scheduled job run.
T1027.007
Obfuscated Information or Data: Dynamic API Decision
HiddenFace dynamically resolves the mandatory APIs upon its startup.
T1027.011
Obfuscated Information or Data: Fileless Storage
HiddenFace is saved in a registry key on the compromised machine.
T1055
Course of Injection
FaceXInjector is used to inject HiddenFace right into a professional Home windows utility.
T1070.004
Indicator Elimination: File Deletion
As soon as HiddenFace is moved to the registry, the file through which it was delivered is deleted.
T1070.006
Indicator Elimination: Timestomp
HiddenFace can timestomp information in chosen directories.
T1112
Modify Registry
FaceXInjector creates a registry key into which it shops HiddenFace.
T1127.001
Trusted Developer Utilities: MSBuild
MSBuild is abused to execute FaceXInjector.
T1140
Deobfuscate/Decode Information or Data
HiddenFace reads exterior modules from an AES-encrypted file.
T1622
Debugger Evasion
HiddenFace checks whether or not it’s being debugged.
T1564.001
Disguise Artifacts: Hidden Information and Directories
MirrorFace hid directories with AsyncRAT.
T1564.003
Disguise Artifacts: Hidden Window
MirrorFace tried to make use of the instrument Hidden Begin, which might cover home windows.
T1564.006
Disguise Artifacts: Run Digital Occasion
MirrorFace used Home windows Sandbox to run AsyncRAT.
T1070.001
Indicator Elimination: Clear Home windows Occasion Logs
MirrorFace cleared Home windows occasion logs to destroy proof of its actions.
T1036.007
Masquerading: Double File Extension
MirrorFace used a so-called double file extension, .docx.lnk, to deceive its goal.
T1218
Signed Binary Proxy Execution
MirrorFace used wlrmdr.exe as an execution proxy to run ANEL.
T1221
Template Injection
MirrorFace used Phrase template injection to run malicious VBA code.
Discovery
T1012
Question Registry
HiddenFace queries the registry for machine-specific info such because the machine ID.
T1033
System Proprietor/Person Discovery
HiddenFace determines the at the moment logged in person’s title and sends it to the C&C server.
T1057
Course of Discovery
HiddenFace checks at the moment operating processes.
T1082
System Data Discovery
HiddenFace gathers numerous system info and sends it to the C&C server.
T1124
System Time Discovery
HiddenFace determines the system time and sends it to the C&C server.
T1087.002
Account Discovery: Area Account
MirrorFace used the instrument csvde to export information from Lively Listing Area Companies.
Assortment
T1115
Clipboard Information
HiddenFace collects clipboard information and sends it to the C&C server.
T1113
Display Seize
ANEL can take a screenshot and ship it to the C&C server.
Command and Management
T1001.001
Information Obfuscation: Junk Information
HiddenFace provides junk information to the messages despatched to the C&C server.
T1568.002
Dynamic Decision: Area Technology Algorithms
HiddenFace makes use of a DGA to generate C&C server domains.
T1573
Encrypted Channel
HiddenFace communicates with its C&C server over an encrypted channel.
T1071.001
Commonplace Utility Layer Protocol: Internet Protocols
ANEL makes use of HTTP to speak with its C&C server.
T1132.001
Information Encoding: Commonplace Encoding
ANEL makes use of base64 to encode information despatched to the C&C server.
Exfiltration
T1030
Information Switch Dimension Limits
HiddenFace can, upon operator request, cut up information and ship it in chunks to the C&C server.
T1041
Exfiltration Over C2 Channel
HiddenFace exfiltrates requested information to the C&C server.
