DIGITAL LIFE

ESET has identified a cyberespionage campaign attributed to the China-based MirrorFace group. The activities targeted, for the first time ever documented, a diplomatic entity located in Central Europe, deviating from the group’s traditional geographic focus of Japan. The discovery occurred between the second and third quarters of 2024.
This cyberespionage campaign, dubbed AkaiRyū (Red Dragon in Japanese) by ESET, used the upcoming 2025 World Expo, scheduled to take place in Osaka, Japan, as a central theme for its attacks.
This thematic choice suggests that, despite the geographic expansion of the target, the group’s interest remains linked to events related to Japan.
The investigation points to a significant update in the tactics, techniques and procedures (TTPs) employed by MirrorFace in this recent cyberespionage campaign.
The AkaiRyū cyberespionage campaign demonstrated an evolution in MirrorFace’s methods. The group used spearphishing emails, simulating legitimate communications that referenced previous interactions between the target entity and a Japanese non-governmental organization. The goal was to trick recipients into interacting with malicious content.
Analysis also revealed the use of a customized variant of the AsyncRAT remote access trojan (RAT), running inside the Windows Sandbox to make it harder for security tools to detect. Additionally, MirrorFace adopted the Visual Studio Code (VS Code) tool to exploit its remote tunneling functionality.
This technique allows the group to establish stealth access to compromised systems, execute commands, and deploy other malicious tools. The group also continued to use its main backdoor, known as HiddenFace, to maintain persistence on infected systems. It also observed the abuse of legitimate applications, such as tools from McAfee and JustSystems, to execute malicious software on victims’ computers.
Tool Revival and Connection to APT10...One of the relevant technical aspects of the operation was the use of the ANEL backdoor (also known as UPPERCUT).
This tool, previously associated exclusively with the APT10 group and considered abandoned, appears to have resumed development. The ANEL backdoor allows basic functions such as file manipulation, code execution and screen capture.
The reintroduction of ANEL into MirrorFace’s arsenal, together with previously observed similarities in the targets and malware code, has led ESET to reassess the connection between the two groups.
The security company now considers that MirrorFace operates as a subgroup of APT10. This conclusion is based on the accumulation of technical and operational evidence that suggests coordination or resource sharing between the two.
ESET’s investigation has revealed a shift in the MirrorFace group’s remit, which has now included European targets. The AkaiRyū cyberespionage campaign revealed the adoption of updated TTPs, including the reactivation of the ANEL backdoor, and the use of evasive techniques such as executing malware in isolated environments and abusing legitimate tools.
The analysis also reinforced the hypothesis of an operational link between MirrorFace and the APT10 group, resulting in the researchers reassigning MirrorFace’s affiliation.
https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/
mundophone
No comments:
Post a Comment