- MirrorFace pivoted to spear phishing to target high-profile Japanese
- The group is looking for information regarding China-US relations
- It is using backdoors not seen in years
MirrorFace, a Chinese state-sponsored threat actor also known as Earth Kasha, has been observed stepping away from its usual practice to target specific individuals, with even more specific backdoors.
Cybersecurity researchers from Trend Micro recently observed MirrorFace engaging in spear phishing attacks, targeting individuals in Japan.
Previously, the group was focused on business entities, and abused vulnerabilities in endpoint devices such as Array Networks and Fortinet for initial access.
Targeting individuals
This time around, MirrorFace seems to be particularly interested in topics around Japan’s national security and international relations, the researchers stressed. They came to this conclusion after analyzing the victims, and the lures used in the spear phishing emails. The lures were mostly fake documents discussing Japan’s economic security from the perspective of the current US – China relations.
“Many of the targets are individuals, such as researchers, who may have different levels of security measures in place compared to enterprise organizations, making these attacks more difficult to detect,” Trend Micro said. “It is essential to maintain basic countermeasures, such as avoiding opening files attached to suspicious emails.”
Those who failed to spot the attack, ended up getting two backdoors – NOODPOOR (also known as HiddenFace) and ANEL (also known as UPPERCUT). Trend Micro said the latter was particularly interesting, since it was basically nonexistent for years.
“An interesting aspect of this campaign is the comeback of a backdoor dubbed ANEL, which was used in campaigns targeting Japan by APT10 until around 2018 and had not been observed since then,” they said. APT10 is likely MirrorFace’s umbrella organization.
Earth Kasha is quite an active group these days. In late November, researchers saw the group targeting organizations in Japan, Taiwan, India, and even Europe, through holes in Array AG, ProSelf, and FortiNet. They were also seen using SoftEther VPN, a legitimate open-source VPN tool, to bypass a target’s firewall and blend into legitimate traffic.
Via The Hacker News