Vulnerabilities/Malwares

MirrorStealer targets credentials stored in web browsers and email clients of Japanese politicians

Published

on

Using an undocumented credentials stealer dubbed “MirrorStealer,” a hacking group known as MirrorFace has been targeting Japanese politicians for weeks in advance of the House of Councilors election in July 2022.

ESET’s analysts say they were able to piece together evidence thanks to operational errors made by the hackers that left traces when they discovered the campaign.

Along with the group’s well-known backdoor, LODEINFO, which communicated with a C2 server that was identified as belonging to APT10 infrastructure, the new information-stealing malware was deployed by the hackers.

Kaspersky Lab’s October 2022 report highlighted the custom backdoor’s ongoing development and detailed the extensive use of LODEINFO against prominent Japanese targets.

Spearphishing

Spearphishing attacks On June 29, 2022, the MirrorFace hacking group (APT10 and Cicada) began sending spear-phishing emails to their targets, posing as public relations representatives for the recipient’s political party and requesting that the video files be shared on social media.

In other instances, the threat actors took on the persona of a Japanese ministry and attached decoy documents that secretly extracted WinRAR archives.

An innocuous application (K7Security Suite) used for DLL search order hijacking, a malicious DLL loader, and an encrypted copy of the LODEINFO malware were all found in the archive.

This is the same covert attack chain that Kaspersky described in its previous report, in which the backdoor is loaded directly into memory.

MirrorStealer operations

MirrorStealer (‘31558_n.dll’) was installed on compromised systems by APT10 via LODEINFO.

MirrorStealer focuses on credentials stored in email clients and web browsers, such as “Becky!.” a popular email client in Japan.

This suggests that MirrorStealer might have been made specifically for APT10’s operations centered on Japan.

Since MirrorStealer does not support data exfiltration on its own, all stolen credentials are stored in a txt file in the TEMP directory. After that, they are waited on by LODEINFO to be sent to the C2.

Additionally, LODEINFO serves as a link between the C2 and MirrorStealer to send commands to the info-stealer.

ESET’s examiners noticed LODEINFO passing orders on to stack MirrorStealer on the memory of the penetrated framework, infusing it into a recently generated cmd.exe interaction and running it.

In addition, there are indications that the remote operator attempted to exfiltrate browser cookies using MirrorStealer, but because the new info-stealer does not support this function, he or she resorted to using LODEINFO instead.

Leaving traces

In this campaign, APT10 was not very careful, leaving behind MirrorStealer’s text file with the collected credentials and failing to remove all evidence of its activity from the compromised computers.

Additionally, the technical aspect of the operation is more manual than anticipated from an APT group, as evidenced by the fact that the hackers frequently issued commands to LODEINFO with typographical errors, according to ESET analysts.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version