- MirrorFace turned to spear phishing to target high-profile Japanese people
- The group is seeking information on China-US relations
- Back doors are used that have not been seen for years
MirrorFace, a Chinese state-sponsored threat actor also known as Earth Kasha, has been observed moving away from its usual practice of targeting specific individuals, with even more specific backdoors.
Cybersecurity researchers at Trend Micro recently spotted MirrorFace engaging in spear phishing attacks targeting individuals in Japan.
Previously, the group focused on enterprise entities and exploited vulnerabilities in endpoint devices such as Array Networks and Fortinet for initial access.
Targeting individuals
This time, MirrorFace appears to be particularly interested in topics surrounding Japanese national security and international relations, the researchers pointed out. They came to this conclusion after analyzing the victims and the lure used in the spearphishing emails. The baits were mostly fake documents discussing Japan’s economic security from the perspective of current US-China relations.
“Many of the targets are individuals, such as researchers, who may have different levels of security measures in place compared to corporate organizations, making these attacks more difficult to detect,” Trend Micro said. “It is essential to maintain basic countermeasures, such as avoiding opening files attached to suspicious emails.”
Those who didn’t notice the attack ended up with two backdoors: EMERGENCY GATE (aka HiddenFace) and ANEL (aka UPPERCUT). Trend Micro said the latter was particularly interesting because it effectively didn’t exist for years.
“An interesting aspect of this campaign is the comeback of a backdoor called ANEL, which was used by APT10 in campaigns targeting Japan until around 2018 and has not been seen since,” they said. APT10 is probably the umbrella organization of MirrorFace.
Earth Kasha is quite an active group these days. In late November, researchers saw the group targeting organizations in Japan, Taiwan, India, and even Europe, through holes in Array AG, ProSelf, and FortiNet. They were also seen using SoftEther VPN, a legitimate open-source VPN tool, to bypass a target’s firewall and blend in with legitimate traffic.
Via The hacker news