Back

MirrorFace Attack against Japanese Organisations

Aug. 2, 2024, 9:03 a.m.

Tags

malware
apt
2024-08-02
lodeinfo
noopdoor
ttp

External References

https://blogs.jpcert.or.jp/

https://otx.alienvault.com/

Description

The report provides in-depth details about the malware used by the threat actor MirrorFace in targeted attacks against Japanese organizations. It describes the NOOPDOOR malware's execution flow, obfuscation techniques, functionality, and the tactics, techniques, and procedures employed by the attackers. The report covers aspects such as initial access vectors, lateral movement, credential access, defense evasion techniques, and data exfiltration methods. The analysis aims to aid in detecting and mitigating these types of attacks.

Date

Published Created Modified
Aug. 2, 2024, 8:41 a.m. Aug. 2, 2024, 8:41 a.m. Aug. 2, 2024, 9:03 a.m.

Indicators

2a12:a300:3700::5d9f:b451

2a12:a300:3600::31b5:2e02

2400:8902::f03c:93ff:fe8a:5327

2001:19f0:7001:2ae2:5400:4ff:fe0a:5566

bcd34d436cbac235b56ee5b7273baed62bf385ee13721c7fdcfc00af9ed63997

b07c7dfb3617cd40edc1ab309a68489a3aa4aa1e8fd486d047c155c952dc509e

9590646b32fec3aafd6c648f69ca9857fb4be2adfabf3bcaf321c8cd25ba7b83

93af6afb47f4c42bc0da3eedc6ecb9054134f4a47ef0add0d285404984011072

7a7e7e0d817042e54129697947dfb423b607692f4457163b5c62ffea69a8108d

572f6b98cc133b2d0c8a4fd8ff9d14ae36cdaa119086a5d56079354e49d2a7ce

5e7cd0461817b390cf05a7c874e017e9f44eef41e053da99b479a4dfa3a04512

4f932d6e21fdd0072aba61203c7319693e490adbd9e93a49b0fe870d4d0aed71

0d59734bdb0e6f4fe6a44312a2d55145e98b00f75a148394b2e4b86436c32f4c

43349c97b59d8ba8e1147f911797220b1b7b87609fe4aaa7f1dbacc2c27b361d

89.233.109.69

64.176.214.51

45.77.12.212

207.148.97.235

45.66.217.106

207.148.103.42

108.160.130.45

168.100.8.103

95.85.91.15

45.77.183.161

45.76.222.130

https://blog.itochuci.co.jp/entry/2024/01/24/134047

Attack Patterns

NOOPDOOR

LODEINFO

MirrorFace

T1134.002

T1127.001

T1568.002

T1562.004

T1021.002

T1039

T1543.003

T1070.001

T1053.005

T1560.001

T1087

T1070.006

T1070.004

T1562.001

T1564

T1083

T1055

T1140

T1112

T1133

T1003

CVE-2022-1388