MirrorFace Hackers Customized AsyncRAT Execution Chain to Run Within Windows Sandbox

MirrorFace Hackers Customized AsyncRAT Execution Chain to Run Within Windows Sandbox

The China-aligned advanced persistent threat (APT) group MirrorFace has updated its tactics, techniques, and procedures (TTPs) with a sophisticated approach to deploying malware.

Known primarily for targeting Japanese entities, the group has expanded its operations to include a Central European diplomatic institute in a campaign dubbed Operation AkaiRyū (Japanese for RedDragon).

Among their evolving tactics is the use of a heavily customized AsyncRAT variant deployed through an intricate execution chain that leverages Windows Sandbox to evade detection.

ESET researchers noted that MirrorFace has significantly refreshed its toolset in 2024, including the revival of the ANEL backdoor and the implementation of a customized AsyncRAT variant.

The attack against the Central European diplomatic institute represents the first known instance of MirrorFace targeting a European entity, using the upcoming Expo 2025 in Osaka, Japan as a lure.

The group’s customization of AsyncRAT includes several sophisticated modifications that enhance its stealth capabilities.

AsyncRAT execution chain (Source – Welivesecurity)

These include sample tagging for tracking specific victims, connection to command and control (C&C) servers via Tor, implementation of a domain generation algorithm (DGA), and working time restrictions that limit operation to specific hours and days defined in the configuration.

MirrorFace ensures AsyncRAT’s persistence by registering a scheduled task that executes at machine startup.

Once triggered, a complex execution chain launches AsyncRAT inside Windows Sandbox, which must be manually enabled and requires a reboot.

This technique effectively obscures malicious activities from security controls and complicates detection efforts.

AsyncRAT Execution Through Windows Sandbox

The execution chain involves several components working together to deploy AsyncRAT.

The threat actor delivers multiple files to the compromised machine: legitimate 7-Zip executable and library files (7z.exe and 7z.dll), a password-protected archive containing AsyncRAT (disguised as setup.exe), a batch script that unpacks and launches AsyncRAT, and a Windows Sandbox configuration file.

When the scheduled task executes, it launches Windows Sandbox with the configuration file as a parameter.

The configuration file defines networking settings, directory mapping, memory allocation, and specifies the batch file to execute on launch.

Below is an example of such a configuration file:-

    Enable


            C:Users
            C:HostFiles
            false



        C:HostFiles{49D82E3-CBB6-0486-6645-A4EFD285629}erBkVRZT.bat

    1024
Contents of a Windows Sandbox config file used by MirrorFace (Source – Welivesecurity)

The batch file extracts AsyncRAT from the password-protected archive and creates another scheduled task that executes AsyncRAT every hour.

This multi-layered approach helps the malware remain undetected while establishing persistence on the compromised system, highlighting MirrorFace’s increasingly sophisticated operational security measures designed to hinder incident investigations.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free


Source link