Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities

ESET researchers discovered a spearphishing campaign, launched in the weeks leading up to the Japanese House of Councillors election in July 2022, by the APT group that ESET Research tracks as MirrorFace. The campaign, which we have named Operation LiberalFace, targeted Japanese political entities; our investigation revealed that the members of a specific political party were of particular focus in this campaign. ESET Research unmasked details about this campaign and the APT group behind it at the AVAR 2022 conference at the beginning of this month.

Key points of the blogpost:

  • At the end of June 2022, MirrorFace launched a campaign, which we have named Operation LiberalFace, that targeted Japanese political entities.
  • Spearphishing email messages containing the group’s flagship backdoor LODEINFO were sent to the targets.
  • LODEINFO was used to deliver additional malware, exfiltrate the victim’s credentials, and steal the victim’s documents and emails.
  • A previously undescribed credential stealer we have named MirrorStealer was used in Operation LiberalFace.
  • ESET Research performed an analysis of the post-compromise activities, which suggests that the observed actions were carried out in a manual or semi-manual manner.
  • Details about this campaign were shared at the AVAR 2022 conference.

MirrorFace is a Chinese-speaking threat actor targeting companies and organizations based in Japan. While there is some speculation that this threat actor might be related to APT10 (Macnica, Kaspersky), ESET is unable to attribute it to any known APT group. Therefore, we are tracking it as a separate entity that we’ve named MirrorFace. In particular, MirrorFace and LODEINFO, its proprietary malware used exclusively against targets in Japan, have been reported as targeting media, defense-related companies, think tanks, diplomatic organizations, and academic institutions. The goal of MirrorFace is espionage and exfiltration of files of interest.

We attribute Operation LiberalFace to MirrorFace based on these indicators:

  • To the best of our knowledge, LODEINFO malware is exclusively used by MirrorFace.
  • The targets of Operation LiberalFace align with traditional MirrorFace targeting.
  • A second-stage LODEINFO malware sample contacted a C&C server that we track internally as part of MirrorFace infrastructure.

One of the spearphishing emails sent in Operation LiberalFace posed as an official communication from the PR department of a specific Japanese political party, containing a request related to the House of Councillors elections, and was purportedly sent on behalf of a prominent politician. All spearphishing emails contained a malicious attachment that upon execution deployed LODEINFO on the compromised machine.

Additionally, we discovered that MirrorFace has used previously undocumented malware, which we have named MirrorStealer, to steal its target’s credentials. We believe this is the first time this malware has been publicly described.

In this blogpost, we cover the observed post-compromise activities, including the C&C commands sent to LODEINFO to carry out the actions. Based on certain activities performed on the affected machine, we think that the MirrorFace operator issued commands to LODEINFO in a manual or semi-manual manner.

Initial access

MirrorFace started the attack on June 29th, 2022, distributing spearphishing emails with a malicious attachment to the targets. The subject of the email was <redacted>SNS用動画 拡散のお願い (translation from Google Translate: [Important] <redacted> Request for spreading videos for SNS). Figure 1 and Figure 2 show its content.

Figure 1. Original text of the email

Figure 2. Translated version

Purporting to be a Japanese political party’s PR department, MirrorFace asked the recipients to distribute the attached videos on their own social media profiles (SNS – Social Network Service) to further strengthen the party’s PR and to secure victory in the House of Councillors. Furthermore, the email provides clear instructions on the videos’ publication strategy.

Since the House of Councillors election was held on July 10th, 2022, this email clearly indicates that MirrorFace sought the opportunity to attack political entities. Also, specific content in the email indicates that members of a particular political party were targeted.

MirrorFace also used another spearphishing email in the campaign, where the attachment was titled 【参考】220628<redacted>発・<redacted>選挙管理委員会宛文書(添書分).exe (translation from Google Translate: [Reference] 220628 Documents from the Ministry of <redacted> to <redacted> election administration committee (appendix).exe). The attached decoy document (shown in Figure 3) references the House of Councillors election as well.

Figure 3. Decoy document shown to the target

In both cases, the emails contained malicious attachments in the form of self-extracting WinRAR archives with deceptive names <redacted>SNS用動画 拡散のお願い.exe (translation from Google Translate: <redacted> Request for spreading videos for SNS.exe) and 【参考】220628<redacted>発・<redacted>選挙管理委員会宛文書(添書分).exe (translation from Google Translate: [Reference] 220628 Documents from the Ministry of <redacted> to <redacted> election administration committee (appendix).exe) respectively.

These EXEs extract their archived content into the %TEMP% folder. In particular, four files are extracted:

  • K7SysMon.exe, a benign application developed by K7 Computing Pvt Ltd vulnerable to DLL search order hijacking
  • K7SysMn1.dll, a malicious loader
  • K7SysMon.Exe.db, encrypted LODEINFO malware
  • A decoy document

Then, the decoy document is opened to deceive the target and to appear benign. As the last step, K7SysMon.exe is executed which loads the malicious loader K7SysMn1.dll dropped alongside it. Finally, the loader reads the content of K7SysMon.Exe.db, decrypts it, and then executes it. Note this approach was also observed by Kaspersky and described in their report.

Toolset

In this section, we describe the malware MirrorFace utilized in Operation LiberalFace.

LODEINFO

LODEINFO is a MirrorFace backdoor that is under continual development. JPCERT reported about the first version of LODEINFO (v0.1.2), which appeared around December 2019; its functionality allows capturing screenshots, keylogging, killing processes, exfiltrating files, and executing additional files and commands. Since then, we have observed several changes introduced to each of its versions. For instance, version 0.3.8 (which we first detected in June 2020) added the command ransom (which encrypts defined files and folders), and version 0.5.6 (which we detected in July 2021) added the command config, which allows operators to modify its configuration stored in the registry. Besides the JPCERT reporting mentioned above, a detailed analysis of the LODEINFO backdoor was also published earlier this year by Kaspersky.

In Operation LiberalFace, we observed MirrorFace operators utilizing both the regular LODEINFO and what we call the second-stage LODEINFO malware. The second-stage LODEINFO can be distinguished from the regular LODEINFO by looking at the overall functionality. In particular, the second-stage LODEINFO accepts and runs PE binaries and shellcode outside of the implemented commands. Furthermore, the second-stage LODEINFO can process the C&C command config, but the functionality for the command ransom is missing.

Finally, the data received from the C&C server differs between the regular LODEINFO and the second-stage one. For the second-stage LODEINFO, the C&C server prepends random web page content to the actual data. See Figure 4, Figure 5, and Figure 6 depicting the received data difference. Notice the prepended code snippet differs for every received data stream from the second-stage C&C.

Figure 4. Data received from the first-stage LODEINFO C&C

Figure 5. Data received from the second-stage C&C

Figure 6. Another data stream received from the second-stage C&C

MirrorStealer

MirrorStealer, internally named 31558_n.dll by MirrorFace, is a credential stealer. To the best of our knowledge, this malware has not been publicly described. In general, MirrorStealer steals credentials from various applications such as browsers and email clients. Interestingly, one of the targeted applications is Becky!, an email client that is currently only available in Japan. All the stolen credentials are stored in %TEMP%31558.txt and since MirrorStealer doesn’t have the capability to exfiltrate the stolen data, it depends on other malware to do it.

Post-compromise activities

During our research, we were able to observe some of the commands that were issued to compromised computers.

Initial environment observation

Once LODEINFO was launched on the compromised machines and they had successfully connected to the C&C server, an operator started issuing commands (see Figure 7).

Figure 7. Initial environment observation by the MirrorFace operator via LODEINFO

First, the operator issued one of the LODEINFO commands, print, to capture the screen of the compromised machine. This was followed by another command, ls, to see the content of the current folder in which LODEINFO resided (i.e., %TEMP%). Right after that, the operator utilized LODEINFO to obtain network information by running net view and net view /domain. The first command returns the list of computers connected to the network, while the second returns the list of available domains.

Credential and browser cookie stealing

Having collected this basic information, the operator moved to the next phase (see Figure 8).

Figure 8. Flow of instructions sent to LODEINFO to deploy credential stealer, collect credentials and browser cookies, and exfiltrate them to the C&C server

The operator issued the LODEINFO command send with the subcommand -memory to deliver MirrorStealer malware to the compromised machine. The subcommand -memory was used to indicate to LODEINFO to keep MirrorStealer in its memory, meaning the MirrorStealer binary was never dropped on disk. Subsequently, the command memory was issued. This command instructed LODEINFO to take MirrorStealer, inject it into the spawned cmd.exe process, and run it.

Once MirrorStealer had collected the credentials and stored them in %temp%31558.txt, the operator used LODEINFO to exfiltrate the credentials.

The operator was interested in the victim’s browser cookies as well. However, MirrorStealer doesn’t possess the capability to collect those. Therefore, the operator exfiltrated the cookies manually via LODEINFO. First, the operator used the LODEINFO command dir to list the contents of the folders %LocalAppData%GoogleChromeUser Data and %LocalAppData%MicrosoftEdgeUser Data. Then, the operator copied all the identified cookie files into the %TEMP% folder. Next, the operator exfiltrated all the collected cookie files using the LODEINFO command recv. Finally, the operator deleted the copied cookie files from the %TEMP% folder in an attempt to remove the traces.

Document and email stealing

In the next step, the operator exfiltrated documents of various kinds as well as stored emails (see Figure 9).

Figure 9. Flow of the instructions sent to LODEINFO to exfiltrate files of interest

For that, the operator first utilized LODEINFO to deliver the WinRAR archiver (rar.exe). Using rar.exe, the operator collected and archived files of interest that were modified after 2022-01-01 from the folders %USERPROFILE% and C:$Recycle.Bin. The operator was interested in all such files with the extensions .doc*, .ppt*, .xls*, .jtd, .eml, .*xps, and .pdf.

Notice that besides the common document types, MirrorFace was also interested in files with the .jtd extension. This represents documents of the Japanese word processor Ichitaro developed by JustSystems.

Once the archive was created, the operator delivered the Secure Copy Protocol (SCP) client from the PuTTY suite (pscp.exe) and then used it to exfiltrate the just-created RAR archive to the server at 45.32.13[.]180. This IP address had not been observed in previous MirrorFace activity and had not been used as a C&C server in any LODEINFO malware that we have observed. Right after the archive was exfiltrated, the operator deleted rar.exe, pscp.exe, and the RAR archive to clean up the traces of the activity.

Deployment of second-stage LODEINFO

The last step we observed was delivering the second-stage LODEINFO (see Figure 10).

Figure 10. Flow of instructions sent to LODEINFO to deploy second-stage LODEINFO

The operator delivered the following binaries: JSESPR.dll, JsSchHlp.exe, and vcruntime140.dll to the compromised machine. The original JsSchHlp.exe is a benign application signed by JUSTSYSTEMS CORPORATION (makers of the previously mentioned Japanese word processor, Ichitaro). However, in this case the MirrorFace operator abused a known Microsoft digital signature verification issue and appended RC4 encrypted data to the JsSchHlp.exe digital signature. Because of the mentioned issue, Windows still considers the modified JsSchHlp.exe to be validly signed.

JsSchHlp.exe is also susceptible to DLL side-loading. Therefore, upon execution, the planted JSESPR.dll is loaded (see Figure 11).

Figure 11. Execution flow of second-stage LODEINFO

JSESPR.dll is a malicious loader that reads the appended payload from JsSchHlp.exe, decrypts it, and runs it. The payload is the second-stage LODEINFO, and once running, the operator utilized the regular LODEINFO to set the persistence for the second-stage one. In particular, the operator ran the reg.exe utility to add a value named JsSchHlp to the Run registry key holding the path to JsSchHlp.exe.

However, it appears to us the operator didn’t manage to make the second-stage LODEINFO communicate properly with the C&C server. Therefore, any further steps of the operator utilizing the second-stage LODEINFO remain unknown to us.

Interesting observations

During the investigation, we made a few interesting observations. One of them is that the operator made a few errors and typos when issuing commands to LODEINFO. For example, the operator sent the string cmd /c dir “c:use” to LODEINFO, which most likely was supposed to be cmd /c dir “c:users”.

This suggests the operator is issuing commands to LODEINFO in a manual or semi-manual manner.

Our next observation is that even though the operator performed a few cleanups to remove traces of the compromise, the operator forgot to delete %temp%31558.txt – the log containing the stolen credentials. Thus, at least this trace remained on the compromised machine and it shows us that the operator was not thorough in the cleanup process.

Conclusion

MirrorFace continues to aim for high-value targets in Japan. In Operation LiberalFace, it specifically targeted political entities using the then-upcoming House of Councillors election to its advantage. More interestingly, our findings indicate MirrorFace particularly focused on the members of a specific political party.

During the Operation LiberalFace investigation, we managed to uncover further MirrorFace TTPs, such as the deployment and utilization of additional malware and tools to collect and exfiltrate valuable data from victims. Moreover, our investigation revealed that the MirrorFace operators are somewhat careless, leaving traces and making various mistakes.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.

ESET Research also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

Files

SHA-1 Filename ESET detection name Description
F4691FF3B3ACD15653684F372285CAC36C8D0AEF K7SysMn1.dll Win32/Agent.ACLP LODEINFO loader.
DB81C8719DDAAE40C8D9B9CA103BBE77BE4FCE6C K7SysMon.Exe.db N/A Encrypted LODEINFO.
A8D2BE15085061B753FDEBBDB08D301A034CE1D5 JsSchHlp.exe Win32/Agent.ACLP JsSchHlp.exe with appended encrypted second-stage LODEINFO in the security directory.
0AB7BB3FF583E50FBF28B288E71D3BB57F9D1395 JSESPR.dll Win32/Agent.ACLP Second-stage LODEINFO loader.
E888A552B00D810B5521002304D4F11BC249D8ED 31558_n.dll Win32/Agent.ACLP MirrorStealer credential stealer.

Network

IP Provider First Seen Details
5.8.95[.]174 G-Core Labs S.A. 2022-06-13 LODEINFO C&C server.
45.32.13[.]180 AS-CHOOPA 2022-06-29 Server for data exfiltration.
103.175.16[.]39 Gigabit Hosting Sdn Bhd 2022-06-13 LODEINFO C&C server.
167.179.116[.]56 AS-CHOOPA 2021-10-20 www.ninesmn[.]com, second-stage LODEINFO C&C server.
172.105.217[.]233 Linode, LLC 2021-11-14 www.aesorunwe[.]com, second-stage LODEINFO C&C server.

MITRE ATT&CK techniques

This table was built using version 12 of the MITRE ATT&CK framework.

Note that although this blogpost does not provide a complete overview of LODEINFO capabilities because this information is already available in other publications, the MITRE ATT&CK table below contains all techniques associated with it.

Tactic ID Name Description
Initial Access T1566.001 Phishing: Spearphishing Attachment A malicious WinRAR SFX archive is attached to a spearphishing email.
Execution T1106 Native API LODEINFO can execute files using the CreateProcessA API.
T1204.002 User Execution: Malicious File MirrorFace operators rely on a victim opening a malicious attachment sent via email.
T1559.001 Inter-Process Communication: Component Object Model LODEINFO can execute commands via Component Object Model.
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder LODEINFO adds an entry to the HKCU Run key to ensure persistence.

We observed MirrorFace operators manually adding an entry to the HKCU Run key to ensure persistence for the second-stage LODEINFO.

Defense Evasion T1112 Modify Registry LODEINFO can store its configuration in the registry.
T1055 Process Injection LODEINFO can inject shellcode into cmd.exe.
T1140 Deobfuscate/Decode Files or Information LODEINFO loader decrypts a payload using a single-byte XOR or RC4.
T1574.002 Hijack Execution Flow: DLL Side-Loading MirrorFace side-loads LODEINFO by dropping a malicious library and a legitimate executable (e.g., K7SysMon.exe).
Discovery T1082 System Information Discovery LODEINFO fingerprints the compromised machine.
T1083 File and Directory Discovery LODEINFO can obtain file and directory listings.
T1057 Process Discovery LODEINFO can list running processes.
T1033 System Owner/User Discovery LODEINFO can obtain the victim’s username.
T1614.001 System Location Discovery: System Language Discovery LODEINFO checks the system language to verify that it is not running on a machine set to use the English language.
Collection T1560.001 Archive Collected Data: Archive via Utility We observed MirrorFace operators archiving collected data using the RAR archiver.
T1114.001 Email Collection: Local Email Collection We observed MirrorFace operators collecting stored email messages.
T1056.001 Input Capture: Keylogging LODEINFO performs keylogging.
T1113 Screen Capture LODEINFO can obtain a screenshot.
T1005 Data from Local System We observed MirrorFace operators collecting and exfiltrating data of interest.
Command and Control T1071.001 Application Layer Protocol: Web Protocols LODEINFO uses the HTTP protocol to communicate with its C&C server.
T1132.001 Data Encoding: Standard Encoding LODEINFO uses URL-safe base64 to encode its C&C traffic.
T1573.001 Encrypted Channel: Symmetric Cryptography LODEINFO uses AES-256-CBC to encrypt C&C traffic.
T1001.001 Data Obfuscation: Junk Data Second-stage LODEINFO C&C prepends junk to sent data.
Exfiltration T1041 Exfiltration Over C2 Channel LODEINFO can exfiltrate files to the C&C server.
T1071.002 Application Layer Protocol: File Transfer Protocols We observed MirrorFace using Secure Copy Protocol (SCP) to exfiltrate collected data.
Impact T1486 Data Encrypted for Impact LODEINFO can encrypt files on the victim’s machine.

Source: https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/