{ "name": "MirrorFace Attack against Japanese Organisations", "slug": "mirrorface-attack-against-japanese-organisations", "description": "The report provides in-depth details about the malware used by the threat actor MirrorFace in targeted attacks against Japanese organizations. It describes the NOOPDOOR malware's execution flow, obfuscation techniques, functionality, and the tactics, techniques, and procedures employed by the attackers. The report covers aspects such as initial access vectors, lateral movement, credential access, defense evasion techniques, and data exfiltration methods. The analysis aims to aid in detecting and mitigating these types of attacks.", "published": "2024-08-02T06:41:12+00:00", "created_at": "2024-08-02T06:41:12+00:00", "modified_at": "2024-08-02T07:03:21+00:00", "created_at_opencti": "2024-08-02T06:41:12+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-08-02", "apt", "lodeinfo", "malware", "noopdoor", "ttp" ], "related_entities": { "observables": [ { "id": "", "name": "89.233.109.69" }, { "id": "", "name": "64.176.214.51" }, { "id": "", "name": "45.77.12.212" }, { "id": "", "name": "207.148.97.235" }, { "id": "", "name": "45.66.217.106" }, { "id": "", "name": "207.148.103.42" }, { "id": "", "name": "108.160.130.45" }, { "id": "", "name": "168.100.8.103" }, { "id": "", "name": "95.85.91.15" }, { "id": "", "name": "45.77.183.161" }, { "id": "", "name": "45.76.222.130" }, { "id": "", "name": "https://blog.itochuci.co.jp/entry/2024/01/24/134047" }, { "id": "", "name": "blog.itochuci.co.jp" }, { "id": "", "name": "2a12:a300:3700::5d9f:b451" }, { "id": "", "name": "2a12:a300:3600::31b5:2e02" }, { "id": "", "name": "2400:8902::f03c:93ff:fe8a:5327" }, { "id": "", "name": "2001:19f0:7001:2ae2:5400:4ff:fe0a:5566" }, { "id": "", "name": "bcd34d436cbac235b56ee5b7273baed62bf385ee13721c7fdcfc00af9ed63997" }, { "id": "", "name": "b07c7dfb3617cd40edc1ab309a68489a3aa4aa1e8fd486d047c155c952dc509e" }, { "id": "", "name": "9590646b32fec3aafd6c648f69ca9857fb4be2adfabf3bcaf321c8cd25ba7b83" }, { "id": "", "name": "93af6afb47f4c42bc0da3eedc6ecb9054134f4a47ef0add0d285404984011072" }, { "id": "", "name": "7a7e7e0d817042e54129697947dfb423b607692f4457163b5c62ffea69a8108d" }, { "id": "", "name": "572f6b98cc133b2d0c8a4fd8ff9d14ae36cdaa119086a5d56079354e49d2a7ce" }, { "id": "", "name": "5e7cd0461817b390cf05a7c874e017e9f44eef41e053da99b479a4dfa3a04512" }, { "id": "", "name": "4f932d6e21fdd0072aba61203c7319693e490adbd9e93a49b0fe870d4d0aed71" }, { "id": "", "name": "0d59734bdb0e6f4fe6a44312a2d55145e98b00f75a148394b2e4b86436c32f4c" }, { "id": "", "name": "43349c97b59d8ba8e1147f911797220b1b7b87609fe4aaa7f1dbacc2c27b361d" } ], "malware": [ { "id": "cf459c4c-ff1e-41e4-9757-b0feecbeec62", "name": "NOOPDOOR", "slug": "noopdoor" }, { "id": "legacy:malware:3cad21d47e096b71", "name": "LODEINFO", "slug": "lodeinfo" } ], "intrusion_sets": [ { "id": "f4e1963d-dc5c-414d-9dc5-10aea21425b3", "name": "MirrorFace", "slug": "mirrorface" } ], "attack_patterns": [ { "id": "6bbf9c38-fb41-4198-b363-2d402b3e43a3", "name": "T1134.002" }, { "id": "f92393c4-4cf8-49ad-8bce-c7b907ba23ce", "name": "T1127.001" }, { "id": "6c31e3ae-7a24-4c3b-8a2a-f769c351a2af", "name": "T1568.002" }, { "id": "7e5fbc10-b908-4ce8-8ba8-9fd70790c6ae", "name": "T1562.004" }, { "id": "5d2af906-6187-4702-ab9f-590fbe5b1ca3", "name": "T1021.002" }, { "id": "a1de6d30-7fd6-4352-8f6c-d9904347f33f", "name": "T1039" }, { "id": "b15c00da-c412-4429-900c-659de612baf5", "name": "T1543.003" }, { "id": "da44e22e-1925-42e4-b30d-ac38860d39bb", "name": "T1070.001" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "1584b551-72fb-4f60-ba7a-bdac106e6f9b", "name": "T1560.001" }, { "id": "6efb8bea-11d7-418d-a429-9f4a3e6c50f6", "name": "T1087" }, { "id": "3ccbe4bd-0466-4cbc-9645-5082016edc19", "name": "T1070.006" }, { "id": "eaff4611-3c78-4127-8745-726f77ed68ba", "name": "T1070.004" }, { "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58", "name": "T1562.001" }, { "id": "b9a3b4f8-b9c0-4ed8-bf5e-bf759b9804d6", "name": "T1564" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "09124a92-c11f-4571-b35b-ab0bce6dd081", "name": "T1112" }, { "id": "b9eab970-53dd-4977-9a26-c4fe566e422d", "name": "T1133" }, { "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e", "name": "T1003" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2022-1388" } ] }, "external_refs": [ "https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html", "https://otx.alienvault.com/pulse/66ac9ba81220e9a190ea137f" ] }