Dec 16, 2022 16:00:00

It turns out that a hacker group using Chinese launched a phishing attack on lawmakers aiming for the upper house election in Japan, is the Liberal Democratic Party the target?

In conjunction with the July 2022 Japanese House of Councilors election, a hacker group called ' MirrorFace ' launched a phishing email campaign targeting Japanese politicians. researchers reported. MirrorFace is a hacker group that targets Japanese companies and organizations and is known to speak Chinese.

Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities | WeLiveSecurity

https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/

Hackers target Japanese politicians with new MirrorStealer malware
https://www.bleepingcomputer.com/news/security/hackers-target-japanese-politicians-with-new-mirrorstealer-malware/

Chinese MirrorFace APT group targets Japanese political entitiesSecurity Affairs
https://securityaffairs.co/wordpress/139698/apt/mirrorface-apt-group-targets-japan.html

A hacker group that ESET calls with the codename MirrorFace uses Chinese and is active for the purpose of leaking data from media, defense-related companies, think tanks, diplomatic agencies, academic institutions, etc. in Japan. A feature of MirrorFace is that it has its own malware called 'LODEINFO' that is used only for targets in Japan. Although there is speculation that MirrorFace is related to a hacker group called 'APT10' by Kaspersky and others, ESET is tracking it as an independent group, as there is no evidence that MirrorFace belongs to a known hacker group. About.

ESET researchers report that such MirrorFace deployed a phishing email campaign called `` Operation Liberal Face '' on June 29, 2022, just before the House of Councilors election was held. According to ESET, MirrorFace pretended to be the public relations department of a ``specific political party in Japan'' and sent an email to politicians calling on them to post videos for election bulletins on SNS. This email contained a malicious attachment that deployed LODEINFO to the machine when run.

The original text of the phishing email released by ESET is as follows. Instead of the suspicious Japanese that you might associate with ``phishing emails from China,'' ``the party's PR has created a video for SNS by We are widely promoting the party through official party accounts, TV commercials, and web advertisements.Therefore, in order to further strengthen the party's PR, we would like to ask not only each candidate but also the members of each level of the prefectural federation. Even if you are here, please be sure to post ○○ SNS videos on your own SNS and spread them widely to voters.I would like to ask for everyone's cooperation toward winning the House of Councilors election.” It is written in indistinguishable sentences.

Regarding Operation Liberal Face, ESET said, ``Since the House of Councilors election was held on July 10, 2022, this email clearly shows that MirrorFace was targeting an opportunity to attack a political group. 'From the specific content of the emails, we can see that they are targeting members of a particular political party.'

If you look closely at the text of the email, you can see that the title of the PR video is 'Decision and execution. Protecting your life.' You can also check phrases such as “

Decision and action. Protect your life. ” is the slogan that the LDP put up in the House of Councilors election. I can see that.

decision and execution. Protect your life
We, the Liberal Democratic Party, will definitely protect your lives.

Please take a look at Governor Fumio Kishida's determination. # Fumio Kishida # House of Councilors election 2022 pic.twitter.com/XCBcOoJRQR

— Liberal Democratic Party PR (@jimin_koho) June 21, 2022

According to ESET, executing a phishing email attachment deploys LODEINFO to the compromised machine, and LODEINFO deploys a new malware called 'MirrorStealer' to the system. MirrorStealer is a newly reported credential stealer that steals credentials from various applications, including web browsers and email clients. MirrorFace is also reported to have stolen other documents and emails through LODEINFO.

It is worth noting that the e-mail clients targeted by MirrorStealer include ' Becky! ', an e-mail client mainly used in Japan. In addition, some of the files stolen by MirrorFace had the extension '.jtd'. This extension points to the document of the Japanese word processor ' Ichitaro ', and from these points it is speculated that MirrorFace is specialized for Japanese targets.

In Operation Liberal Face, MirrorFace tried to remove traces of compromise but failed, and some logs were left on the compromised machine. We also see typos in several LODEINFO commands, suggesting that the attack was manual or semi-manual. ``Our investigation revealed that the MirrorFace operators were somewhat careless, leaving traces and making various mistakes,'' ESET said.