MirrorFace targets Japan in fresh ANEL and NOOPDOOR spearphishing campaign

Date:
Thu, 05 Dec 2024 16:00:00 +0000

Description:
The Chinese want to know how the Japanese view their strained relations with
the US.

FULL STORY

MirrorFace, a Chinese state-sponsored threat actor also known as Earth Kasha,
has been observed stepping away from its usual practice to target specific
individuals, with even more specific backdoors . 

Cybersecurity researchers from Trend Micro recently observed MirrorFace
engaging in spear phishing attacks, targeting individuals in Japan. 

Previously, the group was focused on business entities, and abused
vulnerabilities in endpoint devices such as Array Networks and Fortinet for
initial access.

Targeting individuals 

This time around, MirrorFace seems to be particularly interested in topics
around Japans national security and international relations, the researchers
stressed. They came to this conclusion after analyzing the victims, and the
lures used in the spear phishing emails. The lures were mostly fake documents
discussing Japan's economic security from the perspective of the current US -
China relations. 

"Many of the targets are individuals, such as researchers, who may have
different levels of security measures in place compared to enterprise
organizations, making these attacks more difficult to detect," Trend Micro
said. "It is essential to maintain basic countermeasures, such as avoiding
opening files attached to suspicious emails." 

Those who failed to spot the attack, ended up getting two backdoors - 
NOODPOOR (also known as HiddenFace) and ANEL (also known as UPPERCUT). Trend
Micro said the latter was particularly interesting, since it was basically
nonexistent for years. 

"An interesting aspect of this campaign is the comeback of a backdoor dubbed
ANEL, which was used in campaigns targeting Japan by APT10 until around 2018
and had not been observed since then," they said. APT10 is likely MirrorFaces
umbrella organization. 

Earth Kasha is quite an active group these days. In late November, 
researchers saw the group targeting organizations in Japan, Taiwan, India, 
and even Europe, through holes in Array AG, ProSelf, and FortiNet. They were
also seen using SoftEther VPN, a legitimate open-source VPN tool, to bypass a
targets firewall and blend into legitimate traffic. 

 Via The Hacker News

======================================================================
Link to news story:
https://www.techradar.com/pro/security/mirrorface-targets-japan-in-fresh-anel-
and-noopdoor-spearphishing-campaign

$$
--- SBBSecho 3.20-Linux