Chinese Hackers Deploy Dormant ANEL Backdoor in Fresh Assault on Japanese Targets

Chinese Hackers Deploy Dormant ANEL Backdoor in Fresh Assault on Japanese Targets

MirrorFace, a Chinese threat actor, has launched a new spear-phishing campaign targeting Japanese entities since June 2024. The campaign delivers two backdoors: NOOPDOOR (HiddenFace) and ANEL (UPPERCUT).

Key Points:

– ANEL backdoor has resurfaced after being dormant since 2018

– MirrorFace (Earth Kasha) is a sub-group of APT10

– Campaign shifted from exploiting edge device vulnerabilities to spear-phishing

– Attacks focus on individuals rather than enterprises

– Target topics relate to Japan’s national security and international relations

Attack Method:

1. Emails sent from free or compromised accounts containing Microsoft OneDrive links

2. ZIP archives disguised as interview requests or economic security documents

3. Three infection vectors using ROAMINGMOUSE dropper:

– Macro-enabled Word documents

– Windows shortcut with self-extracting archive

– Windows shortcut with PowerShell script

Malware Capabilities:

– ANEL: Screenshots, file operations, command execution

– New feature: Elevated privilege execution

– NOOPDOOR: Deployed for high-value targets

Security Recommendation:

Users should avoid opening suspicious email attachments and maintain basic security measures, as individual targets may have fewer security protocols than enterprises.

Share This Article