MirrorFace threat actors have been actively targeting various sectors, including media, political organizations, and academic institutions, since 2022. However, in 2023, they shifted their focus to manufacturers and research institutions, highlighting the evolving nature of cyber threats in the digital landscape.
The attack methods employed by the MirrorFace threat actors have also evolved over time. Initially, they utilized spear phishing techniques to gain access to sensitive networks. However, as security measures improved, the threat actors began exploiting vulnerabilities in external assets, particularly in Array AG and FortiGate products. Once they gain network access, they deploy the NOOPDOOR malware and utilize various tools to exfiltrate data, such as file listing and content review.
NOOPDOOR, a sophisticated shellcode, uses two distinct methods for implanting itself into legitimate applications. The Type1 method involves an XML file containing obfuscated C# code, which is compiled using MSBuild and executed by NOOPLDR. On the other hand, Type2 utilizes a DLL file to load NOOPLDR into a legitimate application via DLL side-loading. Both types retrieve encrypted data from specific files or registry entries, decrypt it using AES-CBC based on system information, and inject the code into a target application.
After the execution of the code, it is encrypted and saved in a specific registry location for future operations. The diversity of NOOPLDR samples is evident in their characteristics, with XML and DLL variants showcasing different behaviors and injection methods. DLL variants demonstrate more complex behaviors, including service installation and potential hiding, utilizing registry keys for payload storage.
According to JPCERT/CC, some NOOPLDR samples leverage processes like wuauclt.exe, lsass.exe, svchost.exe, and vdsldr.exe for injection. Type 2 NOOPLDR samples utilize Control Flow Flattening (CFF) to obfuscate their code, making analysis challenging. Tools like D810 can partially deobfuscate CFF, and JPCERT/CC offers a dedicated Python script for further deobfuscation.
NOOPDOOR communicates over port 443 using a Domain Generation Algorithm (DGA) and receives commands via port 47000. In addition to standard malware actions like file transfer and execution, NOOPDOOR can manipulate file timestamps, potentially impeding forensic investigations.
Threat actors associated with MirrorFace are actively seeking Windows network credentials by examining memory dumps of processes running Lsass, the NTDS.dit database, and sensitive registry hives. Security solutions like Microsoft Defender and EDR products can help detect credential theft activities. Post-intrusion, attackers utilize Windows network admin privileges to spread malware via SMB and scheduled tasks targeting file servers, AD, and anti-virus management servers.
Reconnaissance activities include uncommon commands like auditpol, bitsadmin, and dfsutil, with data exfiltration using WinRAR and SFTP. The attackers enumerate files with dir /s and target locations such as OneDrive, Teams, and IIS. Security solutions like Cynet XDR provide automated detection and response for endpoints, networks, and users to combat such sophisticated cyber threats effectively.
In conclusion, the activities of MirrorFace threat actors underscore the evolving nature of cyber threats and the need for robust security measures to safeguard sensitive information and networks from malicious actors. Stay vigilant and employ the latest cybersecurity tools and strategies to protect against emerging threats.