mastodon.ie is one of the many independent Mastodon servers you can use to participate in the fediverse.
Irish Mastodon - run from Ireland, we welcome all who respect the community rules and members.

Administered by:

Server stats:

1.6K
active users

#facexinjector

0 posts0 participants0 posts today
ESET Research<p><a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESETresearch</span></a> noticed two <a href="https://infosec.exchange/tags/MirrorFace" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MirrorFace</span></a> Excel documents, known as <a href="https://infosec.exchange/tags/ROAMINGMOUSE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ROAMINGMOUSE</span></a>, were uploaded to VirusTotal from <a href="https://infosec.exchange/tags/Taiwan" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Taiwan</span></a> in March 2025. The documents contain a malicious VBA macro that deploys <a href="https://infosec.exchange/tags/ANEL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ANEL</span></a> backdoor on the compromised machine. @dbreitenbacher<br>The contents of the documents are written in traditional Chinese and the date used follows the Republic of China calendar. Based on this data and other information available to ESET, we assess with medium confidence that the target was a Taiwanese research institute.<br>Even though MirrorFace has been previously reported on targeting a Taiwanese entity, this is for the first time we don’t see any relation to Japan. <br>Our investigation indicates that both documents were used to target the same institute. MirrorFace employed a call-to-action textbox, asking targets to press “Enable editing” and then “Enable content” buttons to show the data in the worksheet. <br>Using multiple different malicious documents to compromise the same entity is an approach that was also observed in 2024 in “Case 1: Japanese research institute” described in our blogpost <a href="https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">welivesecurity.com/en/eset-res</span><span class="invisible">earch/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/</span></a>. <br>The overall compromise chain, leading to the execution of <a href="https://infosec.exchange/tags/ANEL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ANEL</span></a> to establish the initial foothold, remained the same as some observed in 2024. In particular, the approach was described as “Case 1” in Trend Micro’s report <a href="https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">trendmicro.com/en_us/research/</span><span class="invisible">24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html</span></a>. <br>The overall compromise chain, leading to the execution of <a href="https://infosec.exchange/tags/ANEL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ANEL</span></a> to establish the initial foothold, remained the same as some observed in 2024. In particular, the approach was described as “Case 1” in Trend Micro’s report <a href="https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">trendmicro.com/en_us/research/</span><span class="invisible">24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html</span></a>. <br>Besides the documents, a sample of <a href="https://infosec.exchange/tags/ANELLDR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ANELLDR</span></a> loader and a sample of <a href="https://infosec.exchange/tags/FaceXInjector" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FaceXInjector</span></a> were uploaded to VirusTotal from Taiwan around the same time as well. <br>IoCs </p><p>1BAC9E61C0D433964972BC91A5F38F31B85558C1 (ROAMINGMOUSE) <br>634D52E10E168A61C8201130F44925CC497C1251 (ROAMINGMOUSE) <br>E5F20192DB09EA033FEDD9CCEB782321EBB9C66E (FaceXInjector) <br>948CA0DAC99470775523809C1E7E60740B70C0FD (ANELLDR) <br>C&amp;Cs: <br>64.176.34[.]120 (ANEL) <br>192.46.215[.]56 (ANEL)</p>