Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities

ESET researchers discovered a spearphishing campaign, launched in the weeks leading up to the Japanese House of Councillors election in July 2022, by the APT group that ESET Research tracks as MirrorFace. The campaign, which we have named Operation LiberalFace, targeted Japanese political entities; our investigation revealed that the members of a specific political party were of particular focus in this campaign. ESET Research unmasked details about this campaign and the APT group behind it at the AVAR 2022 conference at the beginning of this month.

Key points of the blogpost:

  • At the end of June 2022, MirrorFace launched a campaign, which we have named Operation LiberalFace, that targeted Japanese political entities.
  • Spearphishing email messages containing the group’s flagship backdoor LODEINFO were sent to the targets.
  • LODEINFO was used to deliver additional malware, exfiltrate the victim’s credentials, and steal the victim’s documents and emails.
  • A previously undescribed credential stealer we have named MirrorStealer was used in Operation LiberalFace.
  • ESET Research performed an analysis of the post-compromise activities, which suggests that the observed actions were carried out in a manual or semi-manual manner.
  • Details about this campaign were shared at the AVAR 2022 conference.

MirrorFace is a Chinese-speaking threat actor targeting companies and organizations based in Japan. While there is some speculation that this threat actor might be related to APT10 (Macnica, Kaspersky), ESET is unable to attribute it to any known APT group. Therefore, we are tracking it as a separate entity that we’ve named MirrorFace. In particular, MirrorFace and LODEINFO, its proprietary malware used exclusively against targets in Japan, have been reported as targeting media, defense-related companies, think tanks, diplomatic organizations, and academic institutions. The goal of MirrorFace is espionage and exfiltration of files of interest.

We attribute Operation LiberalFace to MirrorFace based on these indicators:

  • To the best of our knowledge, LODEINFO malware is exclusively used by MirrorFace.
  • The targets of Operation LiberalFace align with traditional MirrorFace targeting.
  • A second-stage LODEINFO malware sample contacted a C&C server that we track internally as part of MirrorFace infrastructure.

One of the spearphishing emails sent in Operation LiberalFace posed as an official communication from the PR department of a specific Japanese political party, containing a request related to the House of Councillors elections, and was purportedly sent on behalf of a prominent politician. All spearphishing emails contained a malicious attachment that upon execution deployed LODEINFO on the compromised machine.

Additionally, we discovered that MirrorFace has used previously undocumented malware, which we have named MirrorStealer, to steal its target’s credentials. We believe this is the first time this malware has been publicly described.

In this blogpost, we cover the observed post-compromise activities, including the C&C commands sent to LODEINFO to carry out the actions. Based on certain activities performed on the affected machine, we think that the MirrorFace operator issued commands to LODEINFO in a manual or semi-manual manner.

Initial access

MirrorFace started the attack on June 29th, 2022, distributing spearphishing emails with a malicious attachment to the targets. The subject of the email was <redacted>SNS用動画 拡散のお願い (translation from Google Translate: [Important] <redacted> Request for spreading videos for SNS). Figure 1 and Figure 2 show its content.

Figure 1. Original text of the email

Figure 2. Translated version

Purporting to be a Japanese political party’s PR department, MirrorFace asked the recipients to distribute the attached videos on their own social media profiles (SNS – Social Network Service) to further strengthen the party’s PR and to secure victory in the House of Councillors. Furthermore, the email provides clear instructions on the videos’ publication strategy.

Since the House of Councillors election was held on July 10th, 2022, this email clearly indicates that MirrorFace sought the opportunity to attack political entities. Also, specific content in the email indicates that members of a particular political party were targeted.

MirrorFace also used another spearphishing email in the campaign, where the attachment was titled 【参考】220628<redacted>発・<redacted>選挙管理委員会宛文書(添書分).exe (translation from Google Translate: [Reference] 220628 Documents from the Ministry of <redacted> to <redacted> election administration committee (appendix).exe). The attached decoy document (shown in Figure 3) references the House of Councillors election as well.

Figure 3. Decoy document shown to the target

In both cases, the emails contained malicious attachments in the form of self-extracting WinRAR archives with deceptive names <redacted>SNS用動画 拡散のお願い.exe (translation from Google Translate: <redacted> Request for spreading videos for SNS.exe) and 【参考】220628<redacted>発・<redacted>選挙管理委員会宛文書(添書分).exe (translation from Google Translate: [Reference] 220628 Documents from the Ministry of <redacted> to <redacted> election administration committee (appendix).exe) respectively.

These EXEs extract their archived content into the %TEMP% folder. In particular, four files are extracted:

  • K7SysMon.exe, a benign application developed by K7 Computing Pvt Ltd vulnerable to DLL search order hijacking
  • K7SysMn1.dll, a malicious loader
  • K7SysMon.Exe.db, encrypted LODEINFO malware
  • A decoy document

Then, the decoy document is opened to deceive the target and to appear benign. As the last step, K7SysMon.exe is executed which loads the malicious loader K7SysMn1.dll dropped alongside it. Finally, the loader reads the content of K7SysMon.Exe.db, decrypts it, and then executes it. Note this approach was also observed by Kaspersky and described in their report.

Toolset

In this section, we describe the malware MirrorFace utilized in Operation LiberalFace.

LODEINFO

LODEINFO is a MirrorFace backdoor that is under continual development. JPCERT reported about the first version of LODEINFO (v0.1.2), which appeared around December 2019; its functionality allows capturing screenshots, keylogging, killing processes, exfiltrating files, and executing additional files and commands. Since then, we have observed several changes introduced to each of its versions. For instance, version 0.3.8 (which we first detected in June 2020) added the command ransom (which encrypts defined files and folders), and version 0.5.6 (which we detected in July 2021) added the command config, which allows operators to modify its configuration stored in the registry. Besides the JPCERT reporting mentioned above, a detailed analysis of the LODEINFO backdoor was also published earlier this year by Kaspersky.

In Operation LiberalFace, we observed MirrorFace operators utilizing both the regular LODEINFO and what we call the second-stage LODEINFO malware. The second-stage LODEINFO can be distinguished from the regular LODEINFO by looking at the overall functionality. In particular, the second-stage LODEINFO accepts and runs PE binaries and shellcode outside of the implemented commands. Furthermore, the second-stage LODEINFO can process the C&C command config, but the functionality for the command ransom is missing.

Finally, the data received from the C&C server differs between the regular LODEINFO and the second-stage one. For the second-stage LODEINFO, the C&C server prepends random web page content to the actual data. See Figure 4, Figure 5, and Figure 6 depicting the received data difference. Notice the prepended code snippet differs for every received data stream from the second-stage C&C.

Figure 4. Data received from the first-stage LODEINFO C&C

Figure 5. Data received from the second-stage C&C

Figure 6. Another data stream received from the second-stage C&C

MirrorStealer

MirrorStealer, internally named 31558_n.dll by MirrorFace, is a credential stealer. To the best of our knowledge, this malware has not been publicly described. In general, MirrorStealer steals credentials from various applications such as browsers and email clients. Interestingly, one of the targeted applications is Becky!, an email client that is currently only available in Japan. All the stolen credentials are stored in %TEMP%31558.txt and since MirrorStealer doesn’t have the capability to exfiltrate the stolen data, it depends on other malware to do it.

Post-compromise activities

During our research, we were able to observe some of the commands that were issued to compromised computers.

Initial environment observation

Once LODEINFO was launched on the compromised machines and they had successfully connected to the C&C server, an operator started issuing commands (see Figure 7).

Figure 7. Initial environment observation by the MirrorFace operator via LODEINFO

First, the operator issued one of the LODEINFO commands, print, to capture the screen of the compromised machine. This was followed by another command, ls, to see the content of the current folder in which LODEINFO resided (i.e., %TEMP%). Right after that, the operator utilized LODEINFO to obtain network information by running net view and net view /domain. The first command returns the list of computers connected to the network, while the second returns the list of available domains.

Credential and browser cookie stealing

Having collected this basic information, the operator moved to the next phase (see Figure 8).

Figure 8. Flow of instructions sent to LODEINFO to deploy credential stealer, collect credentials and browser cookies, and exfiltrate them to the C&C server

The operator issued the LODEINFO command send with the subcommand -memory to deliver MirrorStealer malware to the compromised machine. The subcommand -memory was used to indicate to LODEINFO to keep MirrorStealer in its memory, meaning the MirrorStealer binary was never dropped on disk. Subsequently, the command memory was issued. This command instructed LODEINFO to take MirrorStealer, inject it into the spawned cmd.exe process, and run it.

Once MirrorStealer had collected the credentials and stored them in %temp%31558.txt, the operator used LODEINFO to exfiltrate the credentials.

The operator was interested in the victim’s browser cookies as well. However, MirrorStealer doesn’t possess the capability to collect those. Therefore, the operator exfiltrated the cookies manually via LODEINFO. First, the operator used the LODEINFO command dir to list the contents of the folders %LocalAppData%GoogleChromeUser Data and %LocalAppData%MicrosoftEdgeUser Data. Then, the operator copied all the identified cookie files into the %TEMP% folder. Next, the operator exfiltrated all the collected cookie files using the LODEINFO command recv. Finally, the operator deleted the copied cookie files from the %TEMP% folder in an attempt to remove the traces.

Document and email stealing

In the next step, the operator exfiltrated documents of various kinds as well as stored emails (see Figure 9).

Figure 9. Flow of the instructions sent to LODEINFO to exfiltrate files of interest

For that, the operator first utilized LODEINFO to deliver the WinRAR archiver (rar.exe). Using rar.exe, the operator collected and archived files of interest that were modified after 2022-01-01 from the folders %USERPROFILE% and C:$Recycle.Bin. The operator was interested in all such files with the extensions .doc*, .ppt*, .xls*, .jtd, .eml, .*xps, and .pdf.

Notice that besides the common document types, MirrorFace was also interested in files with the .jtd extension. This represents documents of the Japanese word processor Ichitaro developed by JustSystems.

Once the archive was created, the operator delivered the Secure Copy Protocol (SCP) client from the PuTTY suite (pscp.exe) and then used it to exfiltrate the just-created RAR archive to the server at 45.32.13[.]180. This IP address had not been observed in previous MirrorFace activity and had not been used as a C&C server in any LODEINFO malware that we have observed. Right after the archive was exfiltrated, the operator deleted rar.exe, pscp.exe, and the RAR archive to clean up the traces of the activity.

Deployment of second-stage LODEINFO

The last step we observed was delivering the second-stage LODEINFO (see Figure 10).

Figure 10. Flow of instructions sent to LODEINFO to deploy second-stage LODEINFO

The operator delivered the following binaries: JSESPR.dll, JsSchHlp.exe, and vcruntime140.dll to the compromised machine. The original JsSchHlp.exe is a benign application signed by JUSTSYSTEMS CORPORATION (makers of the previously mentioned Japanese word processor, Ichitaro). However, in this case the MirrorFace operator abused a known Microsoft digital signature verification issue and appended RC4 encrypted data to the JsSchHlp.exe digital signature. Because of the mentioned issue, Windows still considers the modified JsSchHlp.exe to be validly signed.

JsSchHlp.exe is also susceptible to DLL side-loading. Therefore, upon execution, the planted JSESPR.dll is loaded (see Figure 11).

Figure 11. Execution flow of second-stage LODEINFO

JSESPR.dll is a malicious loader that reads the appended payload from JsSchHlp.exe, decrypts it, and runs it. The payload is the second-stage LODEINFO, and once running, the operator utilized the regular LODEINFO to set the persistence for the second-stage one. In particular, the operator ran the reg.exe utility to add a value named JsSchHlp to the Run registry key holding the path to JsSchHlp.exe.

However, it appears to us the operator didn’t manage to make the second-stage LODEINFO communicate properly with the C&C server. Therefore, any further steps of the operator utilizing the second-stage LODEINFO remain unknown to us.

Interesting observations

During the investigation, we made a few interesting observations. One of them is that the operator made a few errors and typos when issuing commands to LODEINFO. For example, the operator sent the string cmd /c dir “c:use” to LODEINFO, which most likely was supposed to be cmd /c dir “c:users”.

This suggests the operator is issuing commands to LODEINFO in a manual or semi-manual manner.

Our next observation is that even though the operator performed a few cleanups to remove traces of the compromise, the operator forgot to delete %temp%31558.txt – the log containing the stolen credentials. Thus, at least this trace remained on the compromised machine and it shows us that the operator was not thorough in the cleanup process.

Conclusion

MirrorFace continues to aim for high-value targets in Japan. In Operation LiberalFace, it specifically targeted political entities using the then-upcoming House of Councillors election to its advantage. More interestingly, our findings indicate MirrorFace particularly focused on the members of a specific political party.

During the Operation LiberalFace investigation, we managed to uncover further MirrorFace TTPs, such as the deployment and utilization of additional malware and tools to collect and exfiltrate valuable data from victims. Moreover, our investigation revealed that the MirrorFace operators are somewhat careless, leaving traces and making various mistakes.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.

ESET Research also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

Files

SHA-1FilenameESET detection nameDescription
F4691FF3B3ACD15653684F372285CAC36C8D0AEFK7SysMn1.dllWin32/Agent.ACLPLODEINFO loader.
DB81C8719DDAAE40C8D9B9CA103BBE77BE4FCE6CK7SysMon.Exe.dbN/AEncrypted LODEINFO.
A8D2BE15085061B753FDEBBDB08D301A034CE1D5JsSchHlp.exeWin32/Agent.ACLPJsSchHlp.exe with appended encrypted second-stage LODEINFO in the security directory.
0AB7BB3FF583E50FBF28B288E71D3BB57F9D1395JSESPR.dllWin32/Agent.ACLPSecond-stage LODEINFO loader.
E888A552B00D810B5521002304D4F11BC249D8ED31558_n.dllWin32/Agent.ACLPMirrorStealer credential stealer.

Network

IPProviderFirst SeenDetails
5.8.95[.]174G-Core Labs S.A.2022-06-13LODEINFO C&C server.
45.32.13[.]180AS-CHOOPA2022-06-29Server for data exfiltration.
103.175.16[.]39Gigabit Hosting Sdn Bhd2022-06-13LODEINFO C&C server.
167.179.116[.]56AS-CHOOPA2021-10-20www.ninesmn[.]com, second-stage LODEINFO C&C server.
172.105.217[.]233Linode, LLC2021-11-14www.aesorunwe[.]com, second-stage LODEINFO C&C server.

MITRE ATT&CK techniques

This table was built using version 12 of the MITRE ATT&CK framework.

Note that although this blogpost does not provide a complete overview of LODEINFO capabilities because this information is already available in other publications, the MITRE ATT&CK table below contains all techniques associated with it.

TacticIDNameDescription
Initial AccessT1566.001Phishing: Spearphishing AttachmentA malicious WinRAR SFX archive is attached to a spearphishing email.
ExecutionT1106Native APILODEINFO can execute files using the CreateProcessA API.
T1204.002User Execution: Malicious FileMirrorFace operators rely on a victim opening a malicious attachment sent via email.
T1559.001Inter-Process Communication: Component Object ModelLODEINFO can execute commands via Component Object Model.
PersistenceT1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderLODEINFO adds an entry to the HKCU Run key to ensure persistence.

We observed MirrorFace operators manually adding an entry to the HKCU Run key to ensure persistence for the second-stage LODEINFO.

Defense EvasionT1112Modify RegistryLODEINFO can store its configuration in the registry.
T1055Process InjectionLODEINFO can inject shellcode into cmd.exe.
T1140Deobfuscate/Decode Files or InformationLODEINFO loader decrypts a payload using a single-byte XOR or RC4.
T1574.002Hijack Execution Flow: DLL Side-LoadingMirrorFace side-loads LODEINFO by dropping a malicious library and a legitimate executable (e.g., K7SysMon.exe).
DiscoveryT1082System Information DiscoveryLODEINFO fingerprints the compromised machine.
T1083File and Directory DiscoveryLODEINFO can obtain file and directory listings.
T1057Process DiscoveryLODEINFO can list running processes.
T1033System Owner/User DiscoveryLODEINFO can obtain the victim’s username.
T1614.001System Location Discovery: System Language DiscoveryLODEINFO checks the system language to verify that it is not running on a machine set to use the English language.
CollectionT1560.001Archive Collected Data: Archive via UtilityWe observed MirrorFace operators archiving collected data using the RAR archiver.
T1114.001Email Collection: Local Email CollectionWe observed MirrorFace operators collecting stored email messages.
T1056.001Input Capture: KeyloggingLODEINFO performs keylogging.
T1113Screen CaptureLODEINFO can obtain a screenshot.
T1005Data from Local SystemWe observed MirrorFace operators collecting and exfiltrating data of interest.
Command and ControlT1071.001Application Layer Protocol: Web ProtocolsLODEINFO uses the HTTP protocol to communicate with its C&C server.
T1132.001Data Encoding: Standard EncodingLODEINFO uses URL-safe base64 to encode its C&C traffic.
T1573.001Encrypted Channel: Symmetric CryptographyLODEINFO uses AES-256-CBC to encrypt C&C traffic.
T1001.001Data Obfuscation: Junk DataSecond-stage LODEINFO C&C prepends junk to sent data.
ExfiltrationT1041Exfiltration Over C2 ChannelLODEINFO can exfiltrate files to the C&C server.
T1071.002Application Layer Protocol: File Transfer ProtocolsWe observed MirrorFace using Secure Copy Protocol (SCP) to exfiltrate collected data.
ImpactT1486Data Encrypted for ImpactLODEINFO can encrypt files on the victim’s machine.

Source: https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/