December 5, 2024 at 03:30AM
The China-linked group MirrorFace has launched a spear-phishing campaign targeting individuals in Japan since June 2024, delivering backdoors NOOPDOOR and ANEL. This marks the return of ANEL, previously used by APT10. The attacks leverage malicious OneDrive links and various infection vectors, focusing on national security and international relations themes.
### Meeting Takeaways – Cyber Espionage / Malware Update (Dec 05, 2024)
1. **New Spear-Phishing Campaign:**
– A China-linked threat actor known as MirrorFace has launched a spear-phishing campaign targeting individuals and organizations in Japan since June 2024.
2. **Malicious Tools Used:**
– The campaign primarily delivers backdoors named NOOPDOOR (HiddenFace) and ANEL (UPPERCUT).
– ANEL, which had not been observed since 2018, is making a comeback in this campaign.
3. **Context of the Campaign:**
– The campaign is thought to have been motivated by topics related to Japan’s national security and international relations, particularly in light of U.S.-China relations.
– Previous hacking methods in 2023 targeted security flaws in edge devices; the current focus is on targeted individuals through spear-phishing.
4. **Delivery Mechanisms:**
– Attackers utilize digital missives that link to Microsoft OneDrive, luring recipients to download malicious ZIP archives associated with job interview requests and economic security themes.
– Three infection vectors identified include:
– A macro-enabled Word document.
– A Windows shortcut file leading to a self-extracting archive.
– A PowerShell executable through a shortcut file that handles a cabinet archive.
5. **Backdoor Functionality:**
– The macro-enabled dropper (ROAMINGMOUSE) launches components related to ANEL, using evasion techniques to complicate detection.
– ANEL includes capabilities like capturing screenshots, file manipulation, and command execution, along with new functionality for running programs with elevated privileges.
6. **Target Profile:**
– The campaign predominantly targets individuals, including researchers, who may not have robust security measures in place, increasing the risk of successful infiltration.
7. **Recommendations:**
– It is crucial for potential targets to maintain basic cybersecurity practices, such as being cautious about opening attachments from suspicious emails.
### Follow-up Action Items:
– Stay updated on cybersecurity best practices and threat intelligence.
– Consider conducting training sessions to educate individuals on recognizing and responding to phishing attempts.
For more exclusive content, follow us on Twitter and LinkedIn.