MirrorFace, a threat actor associated with Chinese cyberespionage campaigns against Japan, expanded its operations to target a European organization with a revived set of hacking tools. Researchers from Eset discovered MirrorFace and Earth Kasha using a backdoor previously associated with a threat group known as APT10, indicating a shift in tactics and targets for the cyber criminals.
The U.S. Department of Justice had indicted two APT10 hackers in 2018, highlighting the group’s ties to private sector hacking vendors used by the Chinese government for cyber espionage activities. China has been known to cultivate a network of companies to share tools and procedures for conducting cyber attacks on its behalf, further complicating attribution and detection efforts.
The reemergence of the Anel backdoor, also known as Uppercut, raised eyebrows among cybersecurity experts as it was previously believed to have been abandoned in 2018 or 2019 in favor of a successor tool, Lodeinfo. Eset researchers noted that MirrorFace’s use of Anel and its targeting patterns led them to reclassify the group as a subgroup of APT10, indicating a connection to the larger cyber espionage campaign orchestrated by Chinese threat actors.
In August 2024, Eset detected MirrorFace hackers targeting a Central European diplomatic institute with a spear phishing campaign that lured victims with mentions of the upcoming Expo 2025 in Osaka, Japan. The attackers used a malicious document file to deploy additional payloads, including a Word template with VBA macros and a signed executable for DLL side-loading, ultimately leading to the installation of the Anel backdoor on compromised systems.
Unlike previous versions, the new iteration of Anel was encrypted on disk and decrypted in memory, making it challenging to detect. The backdoor communicated with its command and control server over HTTP, encrypting transmissions to evade detection by security tools. To maintain persistent access, MirrorFace deployed its flagship backdoor, HiddenFace, alongside scheduled tasks and registry modifications, while systematically deleting traces of their activities to evade forensic analysis.
Researchers also observed the group using a customized version of AsyncRAT inside Windows Sandbox, a tool that allowed them to operate in isolation and avoid detection by security monitoring tools. The attackers leveraged Visual Studio Code’s remote tunnel feature to maintain stealthy access to compromised machines, bypassing firewall and endpoint security measures to execute code and deploy additional tools.
In a particularly concerning development, researchers suspected that the attackers extracted sensitive information from compromised systems, including Google Chrome’s web data with autofill details and stored credentials, potentially exposing diplomatic communications and network credentials to further compromise.
The resurgence of MirrorFace and its use of sophisticated tactics highlight the evolving nature of cyber threats posed by nation-state actors. As cyber espionage activities continue to target organizations worldwide, cybersecurity professionals face an uphill battle in detecting and mitigating these advanced threats to protect sensitive data and critical infrastructure.