MirrorFace Cyberattacks: Exploiting Internet Vulnerabilities to Cripple Organizations

MirrorFace, a threat actor targeting media, political organizations, and academic institutions since 2022, has shifted focus to manufacturers and research institutions in 2023. 

Initially relying on spear phishing, the actor now exploits vulnerabilities in external assets like Array AG and FortiGate products to infiltrate networks. NOOPDOOR, a shellcode delivered via XML or DLL, injects itself into legitimate applications. 

The XML variant obfuscates C# code, builds it with MSBuild, and decrypts it using the machine’s unique identifiers. The DLL variant leverages Windows tasks and DLL side-loading, as both types encrypt the code for persistence after execution. 

 MirrorFace attack activities timeline

NOOPLDR samples manifest in XML and DLL formats, where XML-based NOOPLDRs inject into various processes like lsass, tabcal, rdrleakdiag, svchost, wuauclt, vdsldr, and prevhost, storing configuration in HKLM and HKCU registry locations. 

DLL-based NOOPLDRs typically inject into wuauclt, register as services in HKCU, or store configuration directly in HKCU without process injection. 

Some DLL-based NOOPLDRs possess service registration capabilities and can conceal the service using the ‘sc’ command to modify service security descriptors, while Type 2 employs Control Flow Flattening (CFF) to obfuscate its code, making it difficult to understand its functionality. 

Tools like D810 can partially deobfuscate CFF code. JPCERT/CC offers a dedicated tool (Deob_NOOPLDR.py) to simplify the process, which, combined with traditional deobfuscation techniques, allows for deeper analysis of NOOPLDR’s behavior.

CFF obfuscated function (Left) and deobfuscated function (Right)

Beyond obfuscation, NOOPDOOR exhibits malicious functionalities and establishes communication on Port 443 using a Domain Generation Algorithm (DGA) for dynamic destination selection. 

It receives commands over TCP Port 47000, enabling actions like file transfer and execution. To hinder forensic analysis, NOOPDOOR even possesses the ability to manipulate file timestamps. 

Threat actors are aggressively targeting Windows network credentials using multiple tactics, including attempting to extract credentials from the memory dump of running Lsass processes, a method detectable by Microsoft Defender. 

They are also targeting the domain controller database (NTDS.dit) using tools like Vssadmin, leaving traceable events, and accessing SYSTEM, SAM, and SECURITY registry hives to retrieve credentials from the SAM database, with detection potential depending on the EDR solutions employed. 

Attackers leveraged Windows network admin privileges to spread malware via SMB to multiple clients and servers, particularly high-value targets like file servers, AD, and anti-virus management servers. 

commands to see the list of files

Event IDs 4698 and 5145 in Windows event logs can be used to detect scheduled task creation and SMB file copying, respectively, aiding in the identification of lateral movement and reconnaissance efforts. 

According to JPCERT/CC, attackers employed WinRAR and SFTP to exfiltrate data after conducting reconnaissance and utilized ‘dir /s’ to enumerate files on the file server, compressing the results into a RAR archive. 

Subsequently, they executed multiple ‘cmd.exe /c dir’ commands targeting system drives, user profiles, OneDrive, Teams, IIS, and specific program directories to gather file and directory listings, which likely aimed to identify potential targets for further compromise and data theft

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here