MirrorFace

MirrorFace is a China-aligned threat actor active since at least 2019, often attributed to APT10, that has focused heavily on Japanese entities, including media organizations, defense-related companies, think tanks, political entities, academic institutes, and at least one Japanese research institute. The group is associated with Operation AkaiRyū and is described as using both custom malware and customized variants of publicly available tools. Malware and tooling directly associated with MirrorFace in the content include LODEINFO, HiddenFace (also called NOOPDOOR), FaceXInjector (also called NOOPLDR), UPPERCUT, MSRAStealer/MRSAStealer, PuTTY, Cobalt Strike, FRP, Rubeus, and GOST. Observed initial access and delivery methods include spearphishing via compromised email accounts and free email accounts, OneDrive-hosted payloads, remote Word templates containing VBA code, UDL-file-based spearphishing attachment activity, and exploitation of vulnerabilities in Fortigate, Array AG, and FortiOS/FortiProxy devices. In one 2023 intrusion at a Japanese research institute, MirrorFace exploited a FortiOS or FortiProxy vulnerability rather than spearphishing, deployed LODEINFO, and then deployed HiddenFace. MirrorFace has used cmd.exe for malware execution, file discovery, and manual file manipulation, and during Operation AkaiRyū used cmd.exe to run PowerShell commands to drop additional files. The group also used MSBuild and WMI to execute tooling, legitimate executable files for DLL sideloading, and abused a signed McAfee executable to load UPPERCUT. MirrorFace abused a known Microsoft digital signature verification issue to append encrypted data to digital signatures that still appeared valid. HiddenFace uses scheduled tasks to launch MSBuild with malicious XML files, loads encrypted payloads, stores machine-specific encrypted payloads in the registry, injects into legitimate Windows utilities such as perfmon.exe, wermgr.exe, or powercfg.exe, dynamically resolves APIs, restricts DLL loading to Microsoft-signed DLLs, checks for analysis tools, and communicates with C2 over TCP/443 using RSA-2048 followed by symmetric ciphers. HiddenFace also supports passive communication by listening on configured ports and modifying Windows Firewall rules. Post-compromise activity described in the content includes obtaining domain user information, running nltest.exe /domain_trusts to discover domain relationships, using ping for system discovery, enumerating files and directories, targeting files such as .doc, .ppt, .xls, .jtd, .eml, .xps, and .pdf, exporting Chrome web data including contacts, keywords, autofill data, and stored credit card information, exfiltrating stored emails, and gathering data and files of interest from victim systems. MirrorFace staged data and files of interest on a single victim machine and exfiltrated files via SCP, SFTP, and RDP. The group also used rar.exe and Makecab to archive files before exfiltration. Credential access activity in the content includes use of MRSAStealer/MSRAStealer as a password filter DLL and authentication package to capture credentials, including during password changes and logons, with collected credentials stored in an AES-256-CBC-encrypted file for exfiltration. The content also states that MirrorFace dumped credentials from LSASS, SAM, and NTDS.dit. Defense evasion and cleanup behaviors include disabling Windows Defender, modifying the Windows Host Firewall to allow communication over certain ports, deleting Windows event logs, deleting malware directories, archives, delivered tools, and other files from compromised hosts, disguising payloads as PEM files and disguising LNK and self-extracting files as Word documents, and using Base64-encoded shellcode in infection chains to evade detection.