MirrorFace targets Japan in fresh ANEL and NOOPDOOR spearphishing campaign

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol

(Image credit: Shutterstock)

MirrorFace pivoted to spear phishing to target high-profile Japanese
The group is looking for information regarding China-US relations
It is using backdoors not seen in years

MirrorFace, a Chinese state-sponsored threat actor also known as Earth Kasha, has been observed stepping away from its usual practice to target specific individuals, with even more specific backdoors.

Cybersecurity researchers from Trend Micro recently observed MirrorFace engaging in spear phishing attacks, targeting individuals in Japan.

Previously, the group was focused on business entities, and abused vulnerabilities in endpoint devices such as Array Networks and Fortinet for initial access.

Targeting individuals

This time around, MirrorFace seems to be particularly interested in topics around Japan’s national security and international relations, the researchers stressed. They came to this conclusion after analyzing the victims, and the lures used in the spear phishing emails. The lures were mostly fake documents discussing Japan's economic security from the perspective of the current US - China relations.

"Many of the targets are individuals, such as researchers, who may have different levels of security measures in place compared to enterprise organizations, making these attacks more difficult to detect," Trend Micro said. "It is essential to maintain basic countermeasures, such as avoiding opening files attached to suspicious emails."

Those who failed to spot the attack, ended up getting two backdoors - NOODPOOR (also known as HiddenFace) and ANEL (also known as UPPERCUT). Trend Micro said the latter was particularly interesting, since it was basically nonexistent for years.

"An interesting aspect of this campaign is the comeback of a backdoor dubbed ANEL, which was used in campaigns targeting Japan by APT10 until around 2018 and had not been observed since then," they said. APT10 is likely MirrorFace’s umbrella organization.

Earth Kasha is quite an active group these days. In late November, researchers saw the group targeting organizations in Japan, Taiwan, India, and even Europe, through holes in Array AG, ProSelf, and FortiNet. They were also seen using SoftEther VPN, a legitimate open-source VPN tool, to bypass a target’s firewall and blend into legitimate traffic.

Via The Hacker News

US government agencies told to patch these critical security flaws or face attack
Here's a list of the best antivirus
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.