A few weeks before the July 2022 elections to the Japanese House of Councillors, the MirrorFace group attacked Japanese politicians using a previously unregistered MirrorStealer.
According to an ESET report, hackers deployed a new MirrorStealer along with a LODEINFO backdoor that communicated with a C&C server belonging to the APT10 group.
LODEINFO has previously been used in attacks against Japanese politicians and civil servants, as reported by Kaspersky Lab. The attackers impersonated the Japanese Ministry by attaching a decoy document that extracted the WinRAR archive in the background. The archive contained an encrypted copy of the LODEINFO malware, a malicious DLL loader, and a legitimate anti-virus program (K7Security Suite).
The Chinese APT group MirrorFace (APT10 and Cicada) began sending phishing emails to their targets on June 29, 2022, posing as PR agents of the recipient's political party, asking them to post the attached video files on social media.
APT10 used LODEINFO to deploy MirrorStealer ('31558_n.dll') on compromised systems. MirrorStealer targets credentials stored in browsers and email clients, including Becky!, a popular email client in Japan. This indicates that the MirrorStealer may have been designed specifically for campaigns targeting Japan.
All stolen credentials are stored in a text file in the TEMP directory and then exfiltrated by the LODEINFO backdoor to the C&C server, since MirrorStealer is not capable of stealing data on its own.
LODEINFO is also used as a bridge between the C&C Server and MirrorStealer to pass commands. LODEINFO passes commands to load MirrorStealer into the compromised system's memory, injects it into a newly created "cmd.exe" process, and launches it.
APT10 cybercriminals were discovered because they did not remove all traces of their activity on compromised computers and left a MirrorStealer text file containing the collected credentials.
In addition, ESET analysts noticed that hackers sent LODEINFO commands with errors on several occasions, indicating that they are sometimes "manual".