MirrorFace

APT / StateG1054
OriginChina
Techniques (MITRE ATT&CK)43
SourceMITRE ATT&CK
Also known as:Earth Kasha

Vexday analysis

MirrorFace é um ator de ciberespionagem alinhado à República Popular da China, identificado pelo MITRE ATT&CK como G1054 e também referenciado como Earth Kasha. Acredita-se que seja um subgrupo sob o guarda-chuva do menuPass, com base em sobreposições de alvos, ferramentas e infraestrutura. Ativo desde pelo menos 2019, o grupo inicialmente concentrou suas operações exclusivamente em organizações japonesas nos setores de mídia, defesa, diplomacia, finanças, manufatura e meio acadêmico, expandindo posteriormente suas operações para alvos na Europa Central, com uso dos malwares LODEINFO, HiddenFace e UPPERCUT. Ao grupo são atribuídas 2 CVEs conhecidas por exploração e 43 técnicas documentadas no framework MITRE ATT&CK.

Techniques (MITRE ATT&CK) 43

How the group operates, mapped to the MITRE ATT&CK matrix and organized by the phases of an attack.

Reconnaissance
Gather Victim Org Information
Resource development
MalwareTool
Initial access
Exploit Public-Facing ApplicationSpearphishing AttachmentSpearphishing Link
Execution
Windows Management InstrumentationWindows Command ShellVisual BasicMalicious File
Credential access
LSASS MemorySecurity Account ManagerNTDS
Discovery
System Service DiscoverySystem Network Configuration DiscoveryRemote System DiscoverySystem Owner/User DiscoveryProcess DiscoverySystem Information DiscoveryFile and Directory DiscoveryDomain AccountDomain Trust DiscoverySystem Language Discovery
Lateral movement
Remote Desktop ProtocolSMB/Windows Admin Shares
Collection
Data from Local SystemRemote Data StagingLocal Email CollectionArchive via Utility
Command and control
File Transfer ProtocolsProxy
Exfiltration
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
defense-impairment
Code SigningPassword Filter DLLDisable or Modify ToolsClear Windows Event LogsWindows Host Firewall
stealth
Encrypted/Encoded FileMasquerade File TypeFile DeletionTemplate InjectionDLLImpersonation

Exploited vulnerabilities 2

CVEs this group is known to exploit, per MITRE ATT&CK. Ordered by real-world severity.

CVE-2014-7169CRITICALEPSS 100%KEVCVE-2016-6662EPSS 68%

MirrorFace uses real techniques and exploits real flaws. TrueHacking's AI Autonomous Pentest simulates these attacks against your infrastructure and brings more security to your application.

Explore the AI Autonomous Pentest →