In a recent cyberespionage campaign, the China-aligned threat actor MirrorFace has significantly updated its tactics, techniques, and procedures (TTPs) by incorporating a heavily customized version of the AsyncRAT malware.
This adaptation allows the malware to execute within Windows Sandbox, effectively evading detection by security controls.
The campaign, dubbed Operation AkaiRyĆ«, marks a notable expansion of MirrorFace’s operations beyond its traditional focus on Japan, as it targeted a Central European diplomatic institute for the first time.
Enhanced Evasion Techniques
MirrorFace’s use of AsyncRAT within Windows Sandbox is part of a broader strategy to obscure malicious activities.
The group deploys a complex execution chain involving legitimate tools like 7-Zip and PowerShell to unpack and run AsyncRAT inside the sandbox.
This approach requires Windows Sandbox to be manually enabled and necessitates a system reboot, highlighting the sophistication of MirrorFace’s tactics.
The customized AsyncRAT variant includes features such as sample tagging, connection to command and control (C&C) servers via Tor, and a domain generation algorithm (DGA) for generating machine-specific domains.
Integration with Other Tools
In addition to AsyncRAT, MirrorFace has also revived the use of ANEL, a backdoor previously associated with APT10, as its first-line backdoor.
This move further solidifies the connection between MirrorFace and APT10, with many researchers now considering MirrorFace a subgroup under the APT10 umbrella.
The group also employs Visual Studio Code’s remote tunnels to establish stealthy access to compromised machines, execute arbitrary code, and deliver additional tools.
This multi-tool approach allows MirrorFace to maintain persistence and evade detection effectively.
ESET researchers collaborated with the affected Central European diplomatic institute to analyze the post-compromise activities of MirrorFace.
The investigation revealed that MirrorFace selectively deployed tools based on the target’s environment and objectives.
For instance, on one machine, the group focused on stealing personal data, while on another, it sought deeper network access.
The use of tools like PuTTY, VS Code, and HiddenFace MirrorFace’s flagship backdoor was observed across compromised machines.
MirrorFace’s improved operational security, including deleting tools and clearing event logs, complicates incident investigations.
The evolution of MirrorFace’s tactics underscores the group’s adaptability and its continued focus on espionage and data exfiltration.
As cybersecurity threats become more sophisticated, understanding these advanced techniques is crucial for developing effective defense strategies against such threats.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Data Breach at Legends International Exposes Customer Information")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Critical AnythingLLM Vulnerability Enables Remote Code Execution")
