MirrorFace Attack against Japanese Organisations

Aug. 2, 2024, 9:03 a.m.

Description

The report provides in-depth details about the malware used by the threat actor MirrorFace in targeted attacks against Japanese organizations. It describes the NOOPDOOR malware's execution flow, obfuscation techniques, functionality, and the tactics, techniques, and procedures employed by the attackers. The report covers aspects such as initial access vectors, lateral movement, credential access, defense evasion techniques, and data exfiltration methods. The analysis aims to aid in detecting and mitigating these types of attacks.

External References

https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html
https://otx.alienvault.com/pulse/66ac9ba81220e9a190ea137f
Tags
malware
apt
2024-08-02
lodeinfo
noopdoor
ttp

Date

  • Created: Aug. 2, 2024, 8:41 a.m.
  • Published: Aug. 2, 2024, 8:41 a.m.
  • Modified: Aug. 2, 2024, 9:03 a.m.

Indicators

  • 2a12:a300:3700::5d9f:b451
  • 2a12:a300:3600::31b5:2e02
  • 2400:8902::f03c:93ff:fe8a:5327
  • 2001:19f0:7001:2ae2:5400:4ff:fe0a:5566
  • bcd34d436cbac235b56ee5b7273baed62bf385ee13721c7fdcfc00af9ed63997
  • b07c7dfb3617cd40edc1ab309a68489a3aa4aa1e8fd486d047c155c952dc509e
  • 9590646b32fec3aafd6c648f69ca9857fb4be2adfabf3bcaf321c8cd25ba7b83
  • 93af6afb47f4c42bc0da3eedc6ecb9054134f4a47ef0add0d285404984011072
  • 7a7e7e0d817042e54129697947dfb423b607692f4457163b5c62ffea69a8108d
  • 572f6b98cc133b2d0c8a4fd8ff9d14ae36cdaa119086a5d56079354e49d2a7ce
  • 5e7cd0461817b390cf05a7c874e017e9f44eef41e053da99b479a4dfa3a04512
  • 4f932d6e21fdd0072aba61203c7319693e490adbd9e93a49b0fe870d4d0aed71
  • 0d59734bdb0e6f4fe6a44312a2d55145e98b00f75a148394b2e4b86436c32f4c
  • 43349c97b59d8ba8e1147f911797220b1b7b87609fe4aaa7f1dbacc2c27b361d
  • 89.233.109.69
  • 64.176.214.51
  • 45.77.12.212
  • 207.148.97.235
  • 45.66.217.106
  • 207.148.103.42
  • 108.160.130.45
  • 168.100.8.103
  • 95.85.91.15
  • 45.77.183.161
  • 45.76.222.130
  • https://blog.itochuci.co.jp/entry/2024/01/24/134047
  • blog.itochuci.co.jp

Attack Patterns

  • NOOPDOOR
  • LODEINFO
  • MirrorFace
  • T1134.002
  • T1127.001
  • T1568.002
  • T1562.004
  • T1021.002
  • T1039
  • T1543.003
  • T1070.001
  • T1053.005
  • T1560.001
  • T1087
  • T1070.006
  • T1070.004
  • T1562.001
  • T1564
  • T1083
  • T1055
  • T1140
  • T1112
  • T1133
  • T1003
  • CVE-2022-1388