Key Points:
– ANEL backdoor has resurfaced after being dormant since 2018
– MirrorFace (Earth Kasha) is a sub-group of APT10
– Campaign shifted from exploiting edge device vulnerabilities to spear-phishing
– Attacks focus on individuals rather than enterprises
– Target topics relate to Japan’s national security and international relations
Attack Method:
1. Emails sent from free or compromised accounts containing Microsoft OneDrive links
2. ZIP archives disguised as interview requests or economic security documents
3. Three infection vectors using ROAMINGMOUSE dropper:
– Macro-enabled Word documents
– Windows shortcut with self-extracting archive
– Windows shortcut with PowerShell script
Malware Capabilities:
– ANEL: Screenshots, file operations, command execution
– New feature: Elevated privilege execution
– NOOPDOOR: Deployed for high-value targets
Security Recommendation:
Users should avoid opening suspicious email attachments and maintain basic security measures, as individual targets may have fewer security protocols than enterprises.