hacker

MirrorFace hackers targeting Japanese govt, politicians since 2019

Share:

The National Police Agency (NPA) and the Cabinet Cyber Security Center in Japan have linked a cyber-espionage campaign targeting the country to the Chinese state-backed “MirrorFace” hacking group.

The campaign has been underway since 2019 and is still ongoing, while the Japanese investigators have observed distinct phases with differentiation of targets and attack methods.

In all cases, the primary goal is to steal information on valuable and advanced Japanese technology and gather national security intelligence.

MirrorFace, also known as “Earth Kasha,” was previously observed by ESET conducting attacks on Japanese politicians before elections, using phishing emails to deploy a credential stealer dubbed ‘MirrorStealer’ and also the ‘LODEINFO’ backdoor.

Targeting government and technology

According to NPA’s analysis of the MirrorFace activity, the Chinese hackers exploit flaws in networking equipment, including CVE-2023-28461 in Array Networks, CVE-2023-27997 in Fortinet appliances, and CVE-2023-3519 in Citrix ADC/Gateway.

After breaching the networks, the threat actors infect targeted computers with LODEINFO, ANEL, NOOPDOOR, and other malware families capable of data exfiltration and various backdoors for persistent long-term access.

NPA identified three distinct campaigns conducted by the MirrorFace hackers:

  • Campaign A (2019–2023): Targeted think tanks, government entities, politicians, and media with malware-laden emails to steal information.
  • Campaign B (2023): Exploited software vulnerabilities in internet-connected devices, targeting Japan’s semiconductor, manufacturing, ICT, academia, and aerospace sectors.
  • Campaign C (2024–present): Used malicious email links to infect academia, think tanks, politicians, and media with malware.

Evasion via VSCode and Windows Sandbox

The NPA highlights two evasion methods MirrorFace uses to persist in networks for extended periods without raising any alarms.

The first uses Visual Studio Code tunnels, which are set up by the ANEL malware on the compromised system. These tunnels are used to receive commands to execute on infected systems, which are usually PowerShell commands.

This is a documented tactic previously attributed to other Chinese state-sponsored hackers like STORM-0866 and Sandman APT.

The second evasion method, employed since June 2023, involves the use Windows Sandbox feature to execute LOADEINFO within an isolated environment, bypassing antivirus detection.

Windows Sandbox is a virtualized desktop environment that can safely execute commands and run programs isolated from the host operating system.

However, the host operating system, including Microsoft Defender, does not monitor this environment. This allows the threat actors to run malware that communicates with remote command and control (C2) servers while maintaining local filesystem access to the host via shared folders.

Based on the above, the NPA recommends that system administrators monitor for suspicious PowerShell logs, unauthorized communications with VSCode domains, and unusual sandbox activity.

While it is not possible to log commands executed in Windows Sandbox, the NPA says you can configure Windows policies on the host to audit process creation to detect when the Windows Sandbox is launched and what configuration file was used.

This will allow organizations that do not usually use Windows Sandbox to detect its use and investigate further.

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
9:35 am, Feb 11, 2025
weather icon 3°C
L: 3° | H: 4°
haze
Humidity: 93 %
Pressure: 1018 mb
Wind: 6 mph WNW
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 100%
Rain Chance: 0%
Visibility: 5 km
Sunrise: 7:21 am
Sunset: 5:07 pm
DailyHourly
Daily ForecastHourly Forecast
Today 9:00 pm
weather icon
3° | 4°°C 0 mm 0% 4 mph 95 % 1018 mb 0 mm/h
Tomorrow 9:00 pm
weather icon
2° | 7°°C 0 mm 0% 5 mph 96 % 1021 mb 0 mm/h
Thu Feb 13 9:00 pm
weather icon
3° | 7°°C 0 mm 0% 9 mph 77 % 1025 mb 0 mm/h
Fri Feb 14 9:00 pm
weather icon
2° | 6°°C 0 mm 0% 8 mph 78 % 1026 mb 0 mm/h
Sat Feb 15 9:00 pm
weather icon
1° | 5°°C 0 mm 0% 9 mph 75 % 1026 mb 0 mm/h
Today 12:00 pm
weather icon
3° | 3°°C 0 mm 0% 4 mph 95 % 1018 mb 0 mm/h
Today 3:00 pm
weather icon
4° | 4°°C 0 mm 0% 4 mph 88 % 1017 mb 0 mm/h
Today 6:00 pm
weather icon
4° | 4°°C 0 mm 0% 3 mph 86 % 1018 mb 0 mm/h
Today 9:00 pm
weather icon
4° | 4°°C 0 mm 0% 3 mph 84 % 1018 mb 0 mm/h
Tomorrow 12:00 am
weather icon
4° | 4°°C 0 mm 0% 2 mph 88 % 1019 mb 0 mm/h
Tomorrow 3:00 am
weather icon
3° | 3°°C 0 mm 0% 3 mph 92 % 1018 mb 0 mm/h
Tomorrow 6:00 am
weather icon
2° | 2°°C 0 mm 0% 3 mph 96 % 1018 mb 0 mm/h
Tomorrow 9:00 am
weather icon
3° | 3°°C 0 mm 0% 3 mph 91 % 1019 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€95,301.68
0.60%
Ethereum(ETH)
€2,632.59
2.62%
XRP(XRP)
€2.44
3.10%
Tether(USDT)
€0.97
0.00%
Solana(SOL)
€198.29
-0.05%
USDC(USDC)
€0.97
-0.01%
Dogecoin(DOGE)
€0.259487
6.18%
Shiba Inu(SHIB)
€0.000016
2.26%
Pepe(PEPE)
€0.000010
8.56%
Scroll to Top