Chinese state-sponsored hacking group MirrorFace has launched a new spear-phishing campaign targeting Japanese organizations and individuals since June 2024, deploying sophisticated backdoor malware.
According to cybersecurity firm Trend Micro, the campaign marks the return of the ANEL backdoor, previously unused since 2018, alongside the NOOPDOOR malware. This represents a shift from MirrorFace's 2023 tactics that focused on exploiting network device vulnerabilities.
The attackers are specifically pursuing targets connected to Japan's national security and international relations. Their spear-phishing emails, sent from compromised or free accounts, contain Microsoft OneDrive links leading to malicious ZIP archives. The lures often reference interview requests or Japan's economic security in the context of US-China relations.
The attack chain involves multiple stages:
- Recipients download infected ZIP files from OneDrive
- Archives contain either macro-enabled Word documents or Windows shortcuts
- These components deploy the ROAMINGMOUSE dropper
- ROAMINGMOUSE then installs the ANEL and NOOPDOOR backdoors
The ANEL backdoor, an HTTP-based tool, allows attackers to capture screenshots, transfer files, execute commands, and run programs with elevated privileges. In select cases, the attackers also deploy NOOPDOOR for additional system access.
"Many targets are individuals like researchers who may have different security measures compared to enterprises, making detection more challenging," notes Trend Micro researcher Hara Hiroaki.
The campaign highlights the ongoing cyber threats faced by Japanese entities from sophisticated state-backed actors. Security experts recommend heightened vigilance against suspicious emails and maintaining robust security practices.