hacker

MirrorFace hackers targeting Japanese govt, politicians since 2019

Teilen:

The National Police Agency (NPA) and the Cabinet Cyber Security Center in Japan have linked a cyber-espionage campaign targeting the country to the Chinese state-backed “MirrorFace” hacking group.

The campaign has been underway since 2019 and is still ongoing, while the Japanese investigators have observed distinct phases with differentiation of targets and attack methods.

In all cases, the primary goal is to steal information on valuable and advanced Japanese technology and gather national security intelligence.

MirrorFace, also known as “Earth Kasha,” was previously observed by ESET conducting attacks on Japanese politicians before elections, using phishing emails to deploy a credential stealer dubbed ‘MirrorStealer’ and also the ‘LODEINFO’ backdoor.

Targeting government and technology

According to NPA’s analysis of the MirrorFace activity, the Chinese hackers exploit flaws in networking equipment, including CVE-2023-28461 in Array Networks, CVE-2023-27997 in Fortinet appliances, and CVE-2023-3519 in Citrix ADC/Gateway.

After breaching the networks, the threat actors infect targeted computers with LODEINFO, ANEL, NOOPDOOR, and other malware families capable of data exfiltration and various backdoors for persistent long-term access.

NPA identified three distinct campaigns conducted by the MirrorFace hackers:

  • Campaign A (2019–2023): Targeted think tanks, government entities, politicians, and media with malware-laden emails to steal information.
  • Campaign B (2023): Exploited software vulnerabilities in internet-connected devices, targeting Japan’s semiconductor, manufacturing, ICT, academia, and aerospace sectors.
  • Campaign C (2024–present): Used malicious email links to infect academia, think tanks, politicians, and media with malware.

Evasion via VSCode and Windows Sandbox

The NPA highlights two evasion methods MirrorFace uses to persist in networks for extended periods without raising any alarms.

The first uses Visual Studio Code tunnels, which are set up by the ANEL malware on the compromised system. These tunnels are used to receive commands to execute on infected systems, which are usually PowerShell commands.

This is a documented tactic previously attributed to other Chinese state-sponsored hackers like STORM-0866 and Sandman APT.

The second evasion method, employed since June 2023, involves the use Windows Sandbox feature to execute LOADEINFO within an isolated environment, bypassing antivirus detection.

Windows Sandbox is a virtualized desktop environment that can safely execute commands and run programs isolated from the host operating system.

However, the host operating system, including Microsoft Defender, does not monitor this environment. This allows the threat actors to run malware that communicates with remote command and control (C2) servers while maintaining local filesystem access to the host via shared folders.

Based on the above, the NPA recommends that system administrators monitor for suspicious PowerShell logs, unauthorized communications with VSCode domains, and unusual sandbox activity.

While it is not possible to log commands executed in Windows Sandbox, the NPA says you can configure Windows policies on the host to audit process creation to detect when the Windows Sandbox is launched and what configuration file was used.

This will allow organizations that do not usually use Windows Sandbox to detect its use and investigate further.

Quelle

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
1:03 am, Juli 1, 2025
Wetter-Symbol 23°C
L: 22° | H: 25°
klarer Himmel
Luftfeuchtigkeit: 71 %
Druck: 1014 mb
Wind: 2 mph
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 2%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 4:47 am
Sonnenuntergang: 9:20 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 10:00 pm
Wetter-Symbol
22° | 25°°C 0 mm 0% 11 mph 69 % 1015 mb 0 mm/h
Tomorrow 10:00 pm
Wetter-Symbol
19° | 26°°C 0 mm 0% 12 mph 75 % 1024 mb 0 mm/h
Do. Juli 03 10:00 pm
Wetter-Symbol
14° | 26°°C 0 mm 0% 7 mph 53 % 1029 mb 0 mm/h
Fr. Juli 04 10:00 pm
Wetter-Symbol
16° | 28°°C 0 mm 0% 10 mph 47 % 1028 mb 0 mm/h
Sa. Juli 05 10:00 pm
Wetter-Symbol
16° | 21°°C 1 mm 100% 12 mph 90 % 1019 mb 0 mm/h
Today 4:00 am
Wetter-Symbol
21° | 22°°C 0 mm 0% 3 mph 69 % 1014 mb 0 mm/h
Today 7:00 am
Wetter-Symbol
22° | 23°°C 0 mm 0% 5 mph 64 % 1014 mb 0 mm/h
Today 10:00 am
Wetter-Symbol
28° | 28°°C 0 mm 0% 3 mph 44 % 1014 mb 0 mm/h
Today 1:00 pm
Wetter-Symbol
30° | 30°°C 0 mm 0% 6 mph 32 % 1014 mb 0 mm/h
Today 4:00 pm
Wetter-Symbol
34° | 34°°C 0 mm 0% 8 mph 26 % 1013 mb 0 mm/h
Today 7:00 pm
Wetter-Symbol
32° | 32°°C 0 mm 0% 11 mph 31 % 1013 mb 0 mm/h
Today 10:00 pm
Wetter-Symbol
25° | 25°°C 0 mm 0% 8 mph 46 % 1015 mb 0 mm/h
Tomorrow 1:00 am
Wetter-Symbol
22° | 22°°C 0 mm 0% 7 mph 61 % 1016 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€91,726.36
0.08%
Ethereum(ETH)
€2,141.69
2.99%
Fesseln(USDT)
€0.85
0.00%
XRP(XRP)
€1.95
4.59%
Solana(SOL)
€134.28
4.10%
USDC(USDC)
€0.85
0.00%
Dogecoin(DOGE)
€0.142338
1.58%
Shiba Inu(SHIB)
€0.000010
0.00%
Pepe(PEPE)
€0.000009
2.69%
Nach oben scrollen