Chinese APT actor MirrorFace has been observed targeting a Central European diplomatic institute in relation to the upcoming Expo 2025 event, cybersecurity firm ESET reports.
Also known as Earth Kasha, MirrorFace is operating under the China-linked state sponsored hacking group APT10, focusing on targeting Japanese entities such as the country’s Foreign and Defense ministries, as well as the country’s space agency, politicians, journalists, private companies, and think tanks.
Dubbed Operation AkaiRyū (RedDragon in Japanese), the campaign against the diplomatic institute is the first known MirrorFace attack against a European entity, and has revealed updated tactics, techniques, and procedures (TTPs), and the addition of new tools to the group’s inventory.
MirrorFace has started using APT10’s former signature backdoor Anel (also known as Uppercut), as well as a customized version of AsyncRAT. The attacks started with carefully crafted spearphishing emails carrying malicious attachments.
The use of Anel strengthens the hypothesis that MirrorFace is a subgroup of APT10, given that the backdoor is exclusive to this Chinese state-sponsored group, ESET notes.
As part of attacks observed between June and September 2024, MirrorFace also deployed a customized variant of AsyncRAT, using a complex execution chain to run it in the Windows Sandbox, and used VS Code for its remote tunnels feature, for stealthy access and code execution.
While the hacking group used Anel in the first stages of the attacks, it also deployed its flagship backdoor HiddenFace at a later stage, further bolstering persistence on the infected systems. In 2024, however, the group did not use the LodeInfo backdoor.
In June 2024, the APT was seen targeting two employees of a Japanese research institute in an attack chain that used a signed McAfee executable to load Anel. In August, the group targeted a Central European diplomatic institute with a malicious OneDrive link leading to an Anel infection.
Other tools and malware used in these attacks include Anelldr (an Anel loader), HiddenFace (backdoor), FaceXInjector (HiddenFace loader), AsyncRAT (delivered using several files and executed inside Windows Sandbox, which is manually enabled and requires a reboot), and Hidden Start (a tool for bypassing UAC).
As part of the diplomatic institute attack, MirrorFace stole data from one system (including contact information, autofill data, keywords, and stored credit card information from Chrome) and set up various tools on a second system to gain deeper network access.
“During this attack, the threat actor used the upcoming World Expo 2025 – to be held in Osaka, Japan – as a lure. This shows that even considering this new broader geographic targeting, MirrorFace remains focused on Japan and events related to it,” ESET notes.
Related: Chinese Botnet Powered by 130,000 Devices Targets Microsoft 365 Accounts
Related: Chinese Cyberspy Possibly Launching Ransomware Attacks as Side Job
Related: CISA Warns of Old jQuery Vulnerability Linked to Chinese APT
Related: Chinese Hackers Exploiting Critical Vulnerability in Array Networks Gateways