MirrorFace Uses MirrorStealer Against Japanese Targets in Operation LiberalFace

Diving into details

• The threat group pretended to be PR agents in their spear-phishing emails to the targets. 
• In some cases, it masqueraded as a Japanese ministry, with decoy documents attached, which extracted WinRAR archives in the background. 
• The attackers used a previously undocumented credential stealer called MirrorStealer and also delivered LODEINFO, a backdoor that communicated with the C2 infrastructure belonging to MirrorFace, aka APT10 or Cicada. 

More on MirrorStealer

• MirrorFace goes for credentials stored in email clients and web browsers, including a popular email client in Japan - Becky!
• This signifies that APT10 developed MirrorStealer exclusively for its Japan-focused activities. 
• Since the malware doesn’t support data exfiltration, LODEINFO is used to send all stolen credentials to the C2 server. 

Another campaign

• Last month, Kaspersky researchers delineated another campaign by APT10, which delivered LODEINFO via a spear-phishing email, a self-extracting archive, and the DOWNIISSA downloader. Besides, it exploited a DLL side-loading flaw in K7Security Suite to deploy the malware. 
• A new variant of LODEINFO was used in this campaign to target Japanese government and public sector entities, media groups, think tanks, and diplomatic agencies. 

Closing lines