MirrorFace threat actors have been targeting media, political organizations, and academic institutions since 2022, shifting focus to manufacturers and research institutions in 2023.
The attack method evolved from spear phishing to exploiting vulnerabilities in external assets, specifically in Array AG and FortiGate products, while the actors deploy NOOPDOOR malware and use various tools to exfiltrate data, including file listing and content review, after gaining network access.
NOOPDOOR, a shellcode, injects itself into legitimate applications through two methods, where Type1 utilizes an XML file containing obfuscated C# code, which is compiled using MSBuild and executed by NOOPLDR.
Type2 employs a DLL file, loading NOOPLDR into a legitimate application via DLL side-loading. Both types retrieve encrypted data from specific files or registry entries, decrypt using AES-CBC based on system information, and inject the code into a target application.
After the code has been executed, it is encrypted and then saved in a specific registry location so that it can be used during subsequent operations.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
NOOPLDR Samples Exhibit Diverse Characteristics:
NOOPLDR samples manifest in XML and DLL formats, leveraging various Windows processes for injection. XML-based NOOPLDRs primarily use legitimate services for execution and store encrypted payloads in specific registry locations.
DLL variants exhibit more complex behaviors, including service installation and potential hiding, employing registry keys for payload storage.
According to JPCERT/CC, some samples utilize `wuauclt.exe` for both XML and DLL injection, while others rely on processes like `lsass.exe`, `svchost.exe`, and `vdsldr.exe`.
Type 2 employs Control Flow Flattening (CFF) to obfuscate its code, making analysis difficult. While tools like D810 can partially deobfuscate CFF, JPCERT/CC offers a dedicated Python script (Deob_NOOPLDR.py) on GitHub for further deobfuscation.
It can communicate over port 443 using a Domain Generation Algorithm (DGA) and receive commands via port 47000.
Beyond standard malware actions like file transfer and execution, NOOPDOOR can manipulate file timestamps, potentially hindering forensic investigations.
Threat actors are actively trying to get Windows network credentials by looking for them in the memory dumps of processes that are running Lsass, the NTDS.dit database for the domain controller, and sensitive registry hives (SYSTEM, SAM, SECURITY) that allow access to the SAM database.
The activities, indicative of credential theft, may be detectable through security solutions like Microsoft Defender and EDR products, while access to NTDS.dit is explicitly logged and analyzed by external resources.
Attackers leveraged Windows network admin privileges to spread malware via SMB and scheduled tasks, targeting file servers, AD, and anti-virus management servers, which were logged as Event IDs 4698 and 5145.
Post-intrusion, attackers conducted reconnaissance using uncommon commands like auditpol, bitsadmin, and dfsutil by exfiltrating data using WinRAR and SFTP after enumerating files with dir /s and commands targeting OneDrive, Teams, IIS, and other locations.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo