MirrorFace Spear-Phishing Campaign Targets Japan with Revived ANEL Backdoor
The China-linked advanced persistent threat (APT) group MirrorFace has launched a spear-phishing campaign targeting individuals and organizations in Japan since June 2024. This operation, aimed at national security and international relations topics, leverages malicious backdoors like ANEL and NOOPDOOR, according to cybersecurity firm Trend Micro.
Key Highlights of the Campaign
- Return of the ANEL Backdoor
- First developed between 2017 and 2018 by APT10, ANEL was last observed targeting Japan in 2018.
- ANEL now includes an updated capability to execute programs with elevated privileges.
- Shift in Attack Tactics
- Unlike earlier campaigns exploiting vulnerabilities in devices from Array Networks and Fortinet, MirrorFace now employs spear-phishing to target individuals.
- Lures include themes like interview requests and economic security related to U.S.-China relations.
- Use of NOOPDOOR Backdoor : Deployed selectively to gather sensitive information and provide further access to targeted environments.
Attack Methods
The spear-phishing emails, sent from free or compromised accounts, contain links to malicious ZIP files hosted on Microsoft OneDrive. The infection vectors include:
- Macro-Enabled Word Documents : Used to execute malicious scripts once opened.
- Windows Shortcut Files with SFX Archives : Self-extracting archives load macro-enabled template documents.
- PowerShell Scripts : Drop embedded cabinet archives and load malicious templates.
Each method delivers a dropper called ROAMINGMOUSE, which hides its malicious components from detection while launching the ANEL backdoor.
Capabilities of ANEL Backdoor
ANEL, a 32-bit HTTP-based implant, offers the following features:
- Capturing screenshots.
- Uploading and downloading files.
- Executing commands via cmd.exe.
- Running programs with elevated privileges (new in 2024).
Target Profile and Motivations
Trend Micro's analysis highlights:
- Primary Targets: Researchers and individuals with varied security postures, making detection challenging.
- Motivations: Espionage interests in Japan's national security and international relations.
Defense Strategies
To mitigate the risks posed by MirrorFace's campaign, organizations and individuals should:
- Exercise Caution with Emails : Avoid opening attachments or clicking on links from unknown or suspicious sources.
- Strengthen Endpoint Security : Use tools capable of detecting macro-enabled malware and advanced persistent threats.
- Monitor for Indicators of Compromise (IoCs) : Check for unusual activity, such as unauthorized PowerShell executions or DLL side-loading.
- Educate Users : Provide training to help users identify phishing attempts and other social engineering tactics.
- Implement Network Segmentation : Limit the spread of malware by isolating critical systems and sensitive data.
MirrorFace's return to spear-phishing and its deployment of the ANEL backdoor underscore the evolving tactics of APT groups. By targeting individuals with sophisticated lures, the group raises the stakes for both personal and national security in Japan. Maintaining vigilance and implementing robust security measures remain critical to countering such advanced threats.