Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

MirrorFace targets Japan in fresh ANEL and NOOPDOOR spearphishing campaign

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol.

  • MirrorFace pivoted to spear phishing to target high-profile Japanese
  • The group is looking for information regarding China-US relations
  • It is using backdoors not seen in years

MirrorFace, a Chinese state-sponsored threat actor also known as Earth Kasha, has been observed stepping away from its usual practice to target specific individuals, with even more specific backdoors.

Cybersecurity researchers from Trend Micro recently observed MirrorFace engaging in spear phishing attacks, targeting individuals in Japan.

Previously, the group was focused on business entities, and abused vulnerabilities in endpoint devices such as Array Networks and Fortinet for initial access.

Targeting individuals

This time around, MirrorFace seems to be particularly interested in topics around Japan’s national security and international relations, the researchers stressed. They came to this conclusion after analyzing the victims, and the lures used in the spear phishing emails. The lures were mostly fake documents discussing Japan's economic security from the perspective of the current US - China relations.

"Many of the targets are individuals, such as researchers, who may have different levels of security measures in place compared to enterprise organizations, making these attacks more difficult to detect," Trend Micro said. "It is essential to maintain basic countermeasures, such as avoiding opening files attached to suspicious emails."

Those who failed to spot the attack, ended up getting two backdoors - NOODPOOR (also known as HiddenFace) and ANEL (also known as UPPERCUT). Trend Micro said the latter was particularly interesting, since it was basically nonexistent for years.

"An interesting aspect of this campaign is the comeback of a backdoor dubbed ANEL, which was used in campaigns targeting Japan by APT10 until around 2018 and had not been observed since then," they said. APT10 is likely MirrorFace’s umbrella organization.

Earth Kasha is quite an active group these days. In late November, researchers saw the group targeting organizations in Japan, Taiwan, India, and even Europe, through holes in Array AG, ProSelf, and FortiNet. They were also seen using SoftEther VPN, a legitimate open-source VPN tool, to bypass a target’s firewall and blend into legitimate traffic.

Via The Hacker News

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.