Unveiling Operation AkaiRyū: Cyber Espionage by the MirrorFace APT Group

In August 2024, ESET researchers discovered a significant cyberespionage campaign conducted by the MirrorFace APT group, aligned with China. This operation targeted a Central European diplomatic institute connected to the Expo 2025 in Osaka, Japan. This marks a noteworthy shift for a group traditionally focused on Japanese entities. In this article, we delve into the intricate details of Operation AkaiRyū, shedding light on the refreshed tactics and tools utilized by MirrorFace to achieve their objectives.

The Rise of MirrorFace: An APT Group Adaptation

Understanding MirrorFace’s Profile

Previously known as Earth Kasha, MirrorFace has primarily targeted Japanese organizations since its inception in 2019. With a strong emphasis on espionage, the group aims to exfiltrate sensitive data from media, defense, diplomatic, and academic institutions. The revelation of its operations against European entities signifies an evolution in its targeting strategy.

Introduction of New Tactics and Tools

During Operation AkaiRyū, MirrorFace exhibited notable enhancements in its tools and techniques. Key findings include:

• The employment of ANEL, a backdoor previously associated with APT10, suggesting a shift in operational methods.
• Implementation of a modified version of AsyncRAT, cleverly executing attacks within Windows Sandbox to evade detection.
• Strategic deployment of Visual Studio Code’s remote tunnels for stealthy access and command execution.

Operation AkaiRyū: Targeting Diplomatic Entities

Attack Execution

The cyberattack initiated with meticulously crafted spearphishing emails designed to lure recipients into opening malicious attachments. This approach allowed MirrorFace to infiltrate a Central European diplomatic institute for the first time, using the Expo 2025 as a deceptive bait.

In-depth Technical Analysis

The attack began with a harmless email referencing a legitimate interaction with a Japanese NGO. This led to the eventual compromise of two machines via a malicious OneDrive link, which unveiled a complex chain of execution involving PowerShell commands and malicious Visual Basic for Applications (VBA) scripts. For instance, the malicious LNK file executed cmd.exe, triggering a sequence of commands that installed ANEL as a first-line backdoor, paving the way for subsequent exploits.

Post-Compromise Activities and Findings

Collaboration with the Affected Institute

ESET closely collaborated with the targeted diplomatic institute to conduct a thorough forensic analysis, uncovering further insights into MirrorFace’s operations. This collaboration allowed us to identify the deployment of various post-compromise tools, including HiddenFace and AsyncRAT, designed for persistence and stealth.

Emerging Threats: Utilizing VS Code Remote Tunnels

The rise of MirrorFace’s use of Visual Studio Code remote development features presents an emerging threat, as it enables adversaries to establish covert access to compromised systems. Similar practices have been noted among other APT groups, indicating a growing trend leveraging legitimate applications for nefarious purposes.

Conclusion and Future Implications

Operation AkaiRyū illustrates the evolving nature of cyber threats, showcasing how advanced persistent threat groups like MirrorFace adapt their tactics for broader objectives. Despite a historical focus on Japan, their recent activities highlight a concerning shift toward international targets. Organizations worldwide must recognize these emerging threats and implement robust cybersecurity measures to mitigate risks. The findings from this operation underscore the importance of collaboration and intelligence sharing in combating advanced cyber threats.

Frequently Asked Questions (FAQ)

Question 1: What is Operation AkaiRyū?

Operation AkaiRyū is a cyberespionage campaign conducted by the MirrorFace APT group, targeting a Central European diplomatic institute as part of its activities surrounding the Expo 2025 in Osaka, Japan.

Question 2: What tools does MirrorFace use?

MirrorFace employs a variety of tools, including ANEL and AsyncRAT, among others. They have adapted these tools to enhance their operations, such as using Windows Sandbox to avoid detection.

Question 3: How can organizations protect themselves against MirrorFace and similar APTs?

Organizations should invest in advanced security measures, including regular software updates, employee training on phishing threats, and robust endpoint detection solutions to help mitigate risks from advanced persistent threats.

This SEO-optimized rewrite maintains clarity and integrates keywords related to “cybersecurity” while enhancing reader engagement through organized headings and informative content.



Read the original article