Security News > 2022 > December > Hackers target Japanese politicians with new MirrorStealer malware
A hacking group tracked as MirrorFace has been targeting Japanese politicians for weeks before the House of Councilors election in July 2022, using a previously undocumented credentials stealer named 'MirrorStealer.
The hackers deployed the new information-stealing malware along with the group's signature backdoor, LODEINFO, which communicated with a C2 server known to belong to APT10 infrastructure.
APT10 used LODEINFO to deploy MirrorStealer on compromised systems.
All stolen credentials are stored in a txt file in the TEMP directory and then wait for LODEINFO to send them to the C2, as MirrorStealer does not support data exfiltration on its own.
ESET's analysts observed LODEINFO conveying commands to load MirrorStealer on the memory of the breached system, injecting it into a newly spawned cmd.
There are signs that the remote operator attempted to exfiltrate browser cookies using MirrorStealer, but reverted to using LODEINFO for this action, as the new info-stealer does not support this function.
News URL
Related news
- Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware (source)
- Hackers Exploit Webview2 to Deploy CoinLurker Malware and Evade Security Detection (source)
- North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign (source)
- MirrorFace hackers targeting Japanese govt, politicians since 2019 (source)
- Russia-Linked Hackers Target Kazakhstan in Espionage Campaign with HATVIBE Malware (source)
- Hackers Hide Malware in Images to Deploy VIP Keylogger and 0bj3ctivity Stealer (source)