Analyzing Operation LiberalFace, An Attack Against Japanese Politicians

Category: Threat Actor Activity | Industry: Government | Level: Tactical | Source: ESET

ESET researchers unravel a spearphishing campaign initiated by Chinese threat group MirrorFace, during the weeks prior to the Japanese House of Councillors election in July 2022, and deploying a credential-stealing malware named, 'MirrorStealer.' The MirrorFace threat group is speculated to have ties with APT10 and predominately targets organizations based in Japan. On June 29th, 2022, Operation LiberalFace began targeting high-profile Japanese politicians with spearphishing emails masquerading as either public relations agents from the recipient’s political party or a member of the Japanese ministry. Attached to the phishing email is a self-extracting WinRAR archive file, which will drop four files, a decoy document, the LODEINFO malware, a malicious DLL loader, and a copy of the K7Security Suite application allowing for DLL search order hijacking. LODEINFO malware has undergone active development since its discovery in December 2019, "its functionality allows capturing screenshots, keylogging, killing processes, exfiltrating files, and executing additional files and commands."

LODEINFO is also used to download MirrorFace's credential stealer malware, MirrorStealer, which can extract credentials from web browsers and email clients. MirrorStealer is likely used in Japan-focused operations as it targets a popular Japanese email client, ‘Becky!’. Credentials extracted by MirrorStealer are saved to a file in the TEMP directory and will be transferred to the attacker's command and control server. The campaign operators put little effort in cleaning up traces of their activity, which fortunately enabled ESET researchers to study the artifacts they left behind.

‍Anvilogic Scenario:

• Malicious File Delivering Malware

Anvilogic Use Cases:

• Compressed File Execution
• Network Connection with Suspicious Folder
• New AutoRun Registry Key

‍