MirrorFace Runs Operation ‘LiberalFace’ to Spy on Japanese Officials

ESET Researchers found email evidence of a spear phishing campaign that targeted political entities that took part in the Japanese House of Councillors election in July 2022.

As per the report, “Operation LiberalFace” contained the MirrorFace group’s flagship backdoor LODEINFO employed since 29 June 2022. Using this backdoor, the group launched malware attacks on Japanese political staff.

The researchers also believe that the campaign had a specific target the group intended to spy on. The backdoor LODEINFO was used to steal the target’s credentials, exfiltrate their system data, capture screenshots and keystrokes, and access other documents and emails. The malware worked as a self-extracting WinRAR archive with legitimate names such as, ‘Documents from the Ministry of election administration committee.’

Spearphishing email details used by MirrorFace

1. The fake emails were crafted to replicate those from the public relations department of Japanese political parties.
2. It talked about a request pertaining to the house of councilor elections.
3. The sender of these infected emails names themselves like a prominent politician.
4. The subject in one of the emails was ‘SNS 用動画 拡散のお願い’ which translated to ‘Request for spreading videos for SNS.’

Four files would get extracted, including the malicious loader, and the decoy document would get saved in the %TEMP% folder. K7SysMon.exe would load the malicious loader K7SysMn1.dll that would be dropped together. The loader would then access the content of KySysMon.Exe.db, decrypt it, and execute it.

Upon observing the flow of instructions, researchers noticed that the subcommand ‘-memory’ was used only to keep MirrorStealer in its memory and not to drop it on the disk.

The command ‘memory’ was issued for LODEINFO to take the malicious MirrorStealer, inject it in the ‘cmd.exe’ process, and run it. MirrorStealer would then store the stolen system data in %temp%\31558.txt. Since the malware was not capable of stealing cookies, the hackers did so manually using LODEINFO commands:

1. dir
2. %LocalAppData%\Google\Chrome\User Data\
3. %LocalAppData%\Microsoft\Edge\User Data\

One of the SHA-1 was F4691FF3B3ACD15653684F372285CAC36C8D0AEF with the filename K7SysMn1.dll. It was named Win32/Agent.ACLP. MirorFace used a secure copy protocol (SCP) to send the stolen data.

Details of the network

An undocumented credential-stealing malware called ‘MirrorStealer’ was also used in this campaign. This spearphishing campaign is allegedly run by the Chinese-speaking MirrorFace which often targets companies in Japan. They indulge in cyberespionage and exfiltrate sensitive system data. The groups’ other targets include think tanks, diplomatic organizations, defense-related companies, media, etc. They have used the same backdoor LODEINFO in most of their cyberattacks in Japan.