MirrorFace Attacking Organizations Exploiting Vulnerabilities In Internet-Facing Assets

MirrorFace threat actors have been targeting media, political organizations, and academic institutions since 2022, shifting focus to manufacturers and research institutions in 2023. 

The attack method evolved from spear phishing to exploiting vulnerabilities in external assets, specifically in Array AG and FortiGate products, while the actors deploy NOOPDOOR malware and use various tools to exfiltrate data, including file listing and content review, after gaining network access. 

MirrorFace attack activities timeline

NOOPDOOR, a shellcode, injects itself into legitimate applications through two methods, where Type1 utilizes an XML file containing obfuscated C# code, which is compiled using MSBuild and executed by NOOPLDR.

NOOPDOOR launched by an XML file (Type1)

Type2 employs a DLL file, loading NOOPLDR into a legitimate application via DLL side-loading. Both types retrieve encrypted data from specific files or registry entries, decrypt using AES-CBC based on system information, and inject the code into a target application. 

NOOPDOOR launched by a DLL file (Type2)

After the code has been executed, it is encrypted and then saved in a specific registry location so that it can be used during subsequent operations.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

NOOPLDR Samples Exhibit Diverse Characteristics:

NOOPLDR samples manifest in XML and DLL formats, leveraging various Windows processes for injection. XML-based NOOPLDRs primarily use legitimate services for execution and store encrypted payloads in specific registry locations. 

DLL variants exhibit more complex behaviors, including service installation and potential hiding, employing registry keys for payload storage. 

According to JPCERT/CC, some samples utilize `wuauclt.exe` for both XML and DLL injection, while others rely on processes like `lsass.exe`, `svchost.exe`, and `vdsldr.exe`. 

Type 2 employs Control Flow Flattening (CFF) to obfuscate its code, making analysis difficult. While tools like D810 can partially deobfuscate CFF, JPCERT/CC offers a dedicated Python script (Deob_NOOPLDR.py) on GitHub for further deobfuscation. 

CFF obfuscated function (Left) and deobfuscated function (Right)

It can communicate over port 443 using a Domain Generation Algorithm (DGA) and receive commands via port 47000.

Beyond standard malware actions like file transfer and execution, NOOPDOOR can manipulate file timestamps, potentially hindering forensic investigations

Threat actors are actively trying to get Windows network credentials by looking for them in the memory dumps of processes that are running Lsass, the NTDS.dit database for the domain controller, and sensitive registry hives (SYSTEM, SAM, SECURITY) that allow access to the SAM database. 

sample event log

The activities, indicative of credential theft, may be detectable through security solutions like Microsoft Defender and EDR products, while access to NTDS.dit is explicitly logged and analyzed by external resources. 

Attackers leveraged Windows network admin privileges to spread malware via SMB and scheduled tasks, targeting file servers, AD, and anti-virus management servers, which were logged as Event IDs 4698 and 5145. 

Post-intrusion, attackers conducted reconnaissance using uncommon commands like auditpol, bitsadmin, and dfsutil by exfiltrating data using WinRAR and SFTP after enumerating files with dir /s and commands targeting OneDrive, Teams, IIS, and other locations.

“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo

Aman Mishra

Recent Posts

Next.js Vulnerability Let Attackers Bypass Authentication

A high-severity vulnerability has been discovered in the popular web framework, Next.js, which allows attackers…

5 minutes ago

CISA Issues Secure Practices for Cloud Services To Strengthen U.S Federal Agencies

In a decisive move to bolster cloud security, the Cybersecurity and Infrastructure Security Agency (CISA)…

41 minutes ago

Fortinet Critical Vulnerabilitiy Let Attackers Inject Commands Remotely

Fortinet, a global leader in cybersecurity solutions, has issued an urgent security advisory addressing two…

1 hour ago

Critical Chrome Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Google has released a new security update on the Stable channel, bringing Chrome to version 131.0.6778.204/.205…

2 hours ago

CISA Released Secure Mobile Communication Best Practices – 2025

The Cybersecurity and Infrastructure Security Agency (CISA) has released new best practice guidance to safeguard…

3 hours ago

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …

21 hours ago