Before the House of Councilors election in July 2022, a hacker gang known as MirrorFace had been targeting Japanese lawmakers using a previously unknown credentials stealer known as “MirrorStealer.” ESET identified the effort, and its experts claim they were able to put together the data because the hackers’ operational errors left traces behind.
The hackers also used LODEINFO, the group’s recognizable backdoor, to interact with a C2 server that was known to be part of the APT10 infrastructure and the new malware that steals information. According to a Kaspersky analysis from October 2022, LODEINFO was widely used against prominent Japanese targets. The study also emphasized how the custom backdoor is constantly being improved.
On June 29, 2022, the MirrorFace hacking gang (APT10 and Cicada) started sending spear-phishing emails to their targets, impersonating PR representatives from the recipient’s political party and requesting that they share the attached video files on social media. In other instances, the threat actors pretended to be a Japanese government and attached fake documents that, when opened, extracted WinRAR archives.
The DLL search order hijacking tool K7Security Suite, a malicious DLL loader, and an encrypted version of the LODEINFO malware were all included in the archive. The backdoor is loaded straight into RAM using the same covert attack chain that Kaspersky disclosed in its last research. MirrorStealer (‘31558_n.dll’) was installed on infected PCs by APT10 using LODEINFO. MirrorStealer targets passwords kept in email clients and online browsers, including “Becky!,” a popular email client in Japan. It suggests that MirrorStealer may have been created specifically for APT10’s operations in Japan.
Since MirrorStealer does not handle data exfiltration on its own, all stolen credentials are kept in a text file in the TEMP directory and then wait for LODEINFO to transfer them to the C2. To provide orders to the info-stealer, LODEINFO is also employed as a conduit between the C2 and MirrorStealer. Analysts from ESET saw LODEINFO transmitting instructions to load MirrorStealer onto the compromised system’s memory, injecting it into a newly spawned cmd.exe process and running it. Additionally, there are indications that the remote operator tried to use MirrorStealer to exfiltrate browser cookies but had to switch to LODEINFO because the new info-stealer does not allow this activity.
APT10 wasn’t particularly diligent in this campaign, leaving MirrorStealer’s text file holding the gathered credentials on the compromised systems and failing to erase all signs of its activities. According to ESET’s analysis, the hackers’ requests to LODEINFO contained numerous mistakes, suggesting that the operation’s technical side was more artisanal than could be anticipated from an APT group.