MirrorFace

Overview

MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.

Capabilities

• Exploitation of public-facing / client applications — ATT&CK T1190
• Custom malware/implant development — ATT&CK: 8 attributed custom malware families

TTPs — 43 techniques across 12 tactics

Tools & malware (16)

Net · Cobalt Strike · MirrorStealer · UPPERCUT · Nltest · BITSAdmin · Tasklist · ipconfig · LODEINFO · ROAMINGHOUSE · DOWNIISSA · nbtstat · HiddenFace · Ping · Wevtutil · NOOPLDR

Reporting (3)

• Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan — Hiroaki, H
• Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella — Trend Micro
• MirrorFace Attack against Japanese Organisations — Tomonaga, S