Tuesday, November 12, 2024
HomeCVE/vulnerabilityMirrorFace Attacking Organizations Exploiting Vulnerabilities In Internet-Facing Assets

MirrorFace Attacking Organizations Exploiting Vulnerabilities In Internet-Facing Assets

Published on

Malware protection

MirrorFace threat actors have been targeting media, political organizations, and academic institutions since 2022, shifting focus to manufacturers and research institutions in 2023. 

The attack method evolved from spear phishing to exploiting vulnerabilities in external assets, specifically in Array AG and FortiGate products, while the actors deploy NOOPDOOR malware and use various tools to exfiltrate data, including file listing and content review, after gaining network access. 

MirrorFace attack activities timeline

NOOPDOOR, a shellcode, injects itself into legitimate applications through two methods, where Type1 utilizes an XML file containing obfuscated C# code, which is compiled using MSBuild and executed by NOOPLDR.

- Advertisement - SIEM as a Service
NOOPDOOR launched by an XML file (Type1)

Type2 employs a DLL file, loading NOOPLDR into a legitimate application via DLL side-loading. Both types retrieve encrypted data from specific files or registry entries, decrypt using AES-CBC based on system information, and inject the code into a target application. 

NOOPDOOR launched by a DLL file (Type2)

After the code has been executed, it is encrypted and then saved in a specific registry location so that it can be used during subsequent operations.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

NOOPLDR Samples Exhibit Diverse Characteristics:

NOOPLDR samples manifest in XML and DLL formats, leveraging various Windows processes for injection. XML-based NOOPLDRs primarily use legitimate services for execution and store encrypted payloads in specific registry locations. 

DLL variants exhibit more complex behaviors, including service installation and potential hiding, employing registry keys for payload storage. 

According to JPCERT/CC, some samples utilize `wuauclt.exe` for both XML and DLL injection, while others rely on processes like `lsass.exe`, `svchost.exe`, and `vdsldr.exe`. 

Type 2 employs Control Flow Flattening (CFF) to obfuscate its code, making analysis difficult. While tools like D810 can partially deobfuscate CFF, JPCERT/CC offers a dedicated Python script (Deob_NOOPLDR.py) on GitHub for further deobfuscation. 

CFF obfuscated function (Left) and deobfuscated function (Right)

It can communicate over port 443 using a Domain Generation Algorithm (DGA) and receive commands via port 47000.

Beyond standard malware actions like file transfer and execution, NOOPDOOR can manipulate file timestamps, potentially hindering forensic investigations. 

Threat actors are actively trying to get Windows network credentials by looking for them in the memory dumps of processes that are running Lsass, the NTDS.dit database for the domain controller, and sensitive registry hives (SYSTEM, SAM, SECURITY) that allow access to the SAM database. 

sample event log 

The activities, indicative of credential theft, may be detectable through security solutions like Microsoft Defender and EDR products, while access to NTDS.dit is explicitly logged and analyzed by external resources. 

Attackers leveraged Windows network admin privileges to spread malware via SMB and scheduled tasks, targeting file servers, AD, and anti-virus management servers, which were logged as Event IDs 4698 and 5145. 

Post-intrusion, attackers conducted reconnaissance using uncommon commands like auditpol, bitsadmin, and dfsutil by exfiltrating data using WinRAR and SFTP after enumerating files with dir /s and commands targeting OneDrive, Teams, IIS, and other locations.

“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...