MirrorFace Attacking Organizations Exploiting Vulnerabilities In Internet-Facing Assets

16 July 2024

MirrorFace threat actors have been targeting media, political organizations, and academic institutions since 2022, shifting focus to manufacturers and research institutions in 2023. The attack method evolved from spear phishing to exploiting vulnerabilities in external assets, specifically in Array AG and FortiGate products, while the actors deploy NOOPDOOR malware and use various tools to exfiltrate data, including file listing and content review, after gaining network access. MirrorFace attack activities timeline NOOPDOOR, a shellcode, injects itself into legitimate applications through two methods, where Type1 utilizes an XML file containing obfuscated C# code, which is compiled using MSBuild and executed by NOOPLDR. NOOPDOOR launched by an XML file (Type1) Type2 employs a DLL file, loading NOOPLDR into a legitimate application via DLL side-loading.

Source: GBHackers

Date:

16 July 2024

Categorie(s):

NEWS

Tag(s):

Assets, Cyber Attack, Cyber Security News, Malware, Organizations

Criminals open DocuSign’s Envelope API to make BEC special delivery5 November 2024
Biden administration prepares second executive order on cybersecurity5 November 2024
Link Index for Customer Identity and Access Management5 November 2024
Technical debt, multi-cloud complexity hinder modern tech adoption5 November 2024
FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions5 November 2024