Researchers at ESET warn that a Chinese-speaking threat actor dubbed “MirrorFace” targeted Japanese political organizations with spear phishing emails in the run-up to the Japanese House of Councillors election in July 2022.
“Purporting to be a Japanese political party’s PR department, MirrorFace asked the recipients to distribute the attached videos on their own social media profiles (SNS – Social Network Service) to further strengthen the party’s PR and to secure victory in the House of Councillors,” the researchers write. “Furthermore, the email provides clear instructions on the videos’ publication strategy. Since the House of Councillors election was held on July 10th, 2022, this email clearly indicates that MirrorFace sought the opportunity to attack political entities. Also, specific content in the email indicates that members of a particular political party were targeted.”
The threat actor used the emails to deliver its custom-made information-stealing malware.
“One of the spear phishing emails sent in Operation LiberalFace posed as an official communication from the PR department of a specific Japanese political party, containing a request related to the House of Councillors elections, and was purportedly sent on behalf of a prominent politician,” the researchers write. “All spear phishing emails contained a malicious attachment that upon execution deployed LODEINFO on the compromised machine. Additionally, we discovered that MirrorFace has used previously undocumented malware, which we have named MirrorStealer, to steal its target’s credentials. We believe this is the first time this malware has been publicly described.”
ESET’s researchers don’t attribute MirrorFace to a particular threat actor, but they note that other security companies believe the group may be related to China’s APT10.
“MirrorFace is a Chinese-speaking threat actor targeting companies and organizations based in Japan,” the researchers write. “While there is some speculation that this threat actor might be related to APT10…ESET is unable to attribute it to any known APT group. Therefore, we are tracking it as a separate entity that we’ve named MirrorFace. In particular, MirrorFace and LODEINFO, its proprietary malware used exclusively against targets in Japan, have been reported as targeting media, defense-related companies, think tanks, diplomatic organizations, and academic institutions. The goal of MirrorFace is espionage and exfiltration of files of interest.”
New-school security awareness training can enable your employees to thwart targeted social engineering attacks.
