The threat actor delivers multiple files to the compromised machine: legitimate 7-Zip executable and library files (7z.exe and 7z.dll), a password-protected archive containing AsyncRAT (disguised as setup.exe), a batch script that unpacks and launches AsyncRAT, and a Windows Sandbox configuration file. Among their evolving tactics is the use of a heavily customized AsyncRAT variant deployed through an intricate execution chain that leverages Windows Sandbox to evade detection. These include sample tagging for tracking specific victims, connection to command and control (C&C) servers via Tor, implementation of a domain generation algorithm (DGA), and working time restrictions that limit operation to specific hours and days defined in the configuration. Once triggered, a complex execution chain launches AsyncRAT inside Windows Sandbox, which must be manually enabled and requires a reboot. The batch file extracts AsyncRAT from the password-protected archive and creates another scheduled task that executes AsyncRAT every hour. This multi-layered approach helps the malware remain undetected while establishing persistence on the compromised system, highlighting MirrorFace’s increasingly sophisticated operational security measures designed to hinder incident investigations. The attack against the Central European diplomatic institute represents the first known instance of MirrorFace targeting a European entity, using the upcoming Expo 2025 in Osaka, Japan as a lure. When the scheduled task executes, it launches Windows Sandbox with the configuration file as a parameter. ESET researchers noted that MirrorFace has significantly refreshed its toolset in 2024, including the revival of the ANEL backdoor and the implementation of a customized AsyncRAT variant.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 19 Mar 2025 12:10:29 +0000