Advanced Persistent Threat (APT) groups continually evolve their strategies to infiltrate systems and extract sensitive information in the intricate realm of cybersecurity. One such group, MirrorFace, has recently been scrutinized for its sophisticated exploitation of Windows Sandbox and Visual Studio Code (VSCode) to conduct cyber espionage, mainly targeting organizations in Japan. This blog delves into the emergence of MirrorFace, its advanced methodologies, the implications of its attacks, and the necessary countermeasures to mitigate such threats.
Emergence and Evolution of MirrorFace
MirrorFace, also called Earth Kasha, is a cyber espionage group believed to operate under the umbrella of the Chinese state-backed APT10. Since at least 2019, MirrorFace has systematically targeted Japanese government entities, politicians, media organizations, and sectors integral to national security, such as aerospace and semiconductors. The group’s primary objective is to steal sensitive information about advanced technologies and national security.
Over the years, MirrorFace has orchestrated three major cyberattack campaigns:
Campaign A (2019–2023)
Between 2019 and 2023, the group relied heavily on spear-phishing campaigns, deploying malicious email attachments that exploited vulnerabilities in Microsoft Office macros. This phase was marked by the widespread use of the LODEINFO malware, which opened backdoors into targeted systems, allowing MirrorFace to exfiltrate data covertly. This campaign also utilized tools like LilimRAT and NOOPDOOR, facilitating remote command execution, data theft, and lateral movement within networks.
Campaign B (2023)
By 2023, MirrorFace had shifted its focus towards exploiting vulnerabilities in networking devices. Instead of relying solely on email phishing, the group targeted critical infrastructure through VPN systems and SQL injection flaws. Industries such as semiconductor manufacturing and IT services were particularly affected during this phase. Attackers deployed tools like Neo-reGeorg tunneling software and web shells, which enabled them to bypass perimeter defenses and gain persistent access to enterprise environments. The compromise of Active Directory servers and virtualization platforms further extended their ability to maneuver through compromised networks without detection.
Campaign C (2024–Present)
Entering 2024, MirrorFace has demonstrated an even greater sophistication by incorporating new attack vectors that abuse Windows Sandbox and Visual Studio Code’s development tunnels. Instead of traditional phishing attempts, the group has begun embedding malicious payloads within disguised software updates, luring victims into executing these files within the security context of Windows Sandbox. By exploiting its isolated nature, the attackers can evade security monitoring tools while executing malicious code that establishes backdoor access to the system.
The abuse of Visual Studio Code Remote Tunnels has also enabled MirrorFace to maintain persistent access to compromised machines without raising suspicion. By tunneling through Microsoft’s trusted infrastructure, they can execute arbitrary commands and exfiltrate sensitive data without triggering conventional security alerts.
Windows Sandbox: A Double-Edged Sword
Windows Sandbox is a built-in virtualization feature in Windows 10 and 11 that creates an isolated, temporary desktop environment. It was designed to allow users to run untrusted applications safely without affecting their primary operating system. When executed, the sandbox is a lightweight virtual machine that operates under a restricted user account, preventing potential malware from interacting with critical system files.
However, this security feature has a significant drawback. The default configuration of Windows Sandbox disables Windows Defender, making it an attractive environment for executing malicious payloads without detection. Additionally, attackers can manipulate Windows Sandbox through Windows Sandbox Configuration Files (.WSB). These configuration files allow users—or, in this case, attackers—to customize the sandbox environment by enabling network access, sharing folders with the host machine, executing predefined scripts, and allocating memory resources. By leveraging this customization feature, MirrorFace can create pre-configured sandbox environments that facilitate seamless malware execution and persistence within compromised networks.
Recent developments in Windows Sandbox functionality have further complicated detection efforts. Microsoft has introduced several updates that allow the sandbox to run in the background, persist data across sessions, and execute scripts on startup. While these improvements enhance its usability for developers and IT professionals, they allow attackers to exploit its capabilities without alerting security monitoring systems. MirrorFace has been observed using WSB configuration files to set up malicious sandboxes that interact with the host machine, allowing them to move files between environments, execute commands silently, and establish hidden network connections for remote command-and-control operations.
Visual Studio Code: A Tool Turned Threat
Visual Studio Code (VSCode) is a widely used source-code editor developed by Microsoft. It is known for its versatility and extensive range of extensions. However, threat actors have found ways to exploit VSCode’s features for malicious purposes.
MirrorFace has leveraged VSCode’s remote tunneling capabilities to establish covert communication channels with compromised systems. These tunnels enable attackers to execute arbitrary commands and manipulate files on the target machine while evading detection.
The abuse of VSCode Remote Tunnels for command-and-control (C2) purposes has become a significant concern as:
- VSCode tunnels provide full access to the compromised machine, including command execution and filesystem manipulation.
- Since the tunnels use Microsoft-signed executables and Azure network infrastructure, they often evade security solutions and firewall rules.
- This method enables attackers to maintain long-term control over compromised endpoints without raising suspicion.
MirrorFace’s Sophisticated Attack Methodology
Initial Compromise
MirrorFace’s campaigns often involve spear-phishing emails tailored to the targeted individuals or organizations. These emails contain malicious attachments or links to deliver malware to the victim’s system.
Additionally, the group has exploited vulnerabilities in networking equipment, such as:
- CVE-2023-28461 in Array Networks,
- CVE-2023-27997 in Fortinet appliances,
- CVE-2023-3519 in Citrix ADC/Gateway,
- And other known weaknesses in enterprise networking hardware.
These vulnerabilities allow MirrorFace to gain initial access before deploying customized malware payloads.
Enabling Windows Sandbox
Once inside the target system, MirrorFace enables Windows Sandbox, which is disabled by default. This requires administrative privileges and a system restart. Attackers then create a WSB configuration file to:
- Share files between the host and sandbox,
- Enable network connectivity,
- Allocate memory resources,
- Automatically execute a batch script upon sandbox startup.
This script extracts the archive and creates a scheduled task that runs the malware with SYSTEM privileges, ensuring persistence.
Command and Control via VSCode Tunnels
To maintain long-term control over compromised machines, MirrorFace abuses Visual Studio Code’s Remote Tunnels by:
- Establishing secure remote access via Microsoft’s infrastructure,
- Executing arbitrary commands from an external machine,
- Uploading and modifying files covertly.
This method allows attackers to interact with the infected system without triggering conventional security alerts.
Forensic Artifacts and Detection
To identify and mitigate MirrorFace attacks, security teams should focus on key forensic artifacts:
Windows Sandbox Artifacts
- Master File Table ($MFT) and Update Sequence Number Journal ($UsnJrnl): Record the creation of WSB files, mounted folders, and VHDX files.
- Prefetch Data: Logs sandbox activity.
- Registry Entries: Can reveal traces of application execution within Windows Sandbox.
VSCode Tunnel Artifacts
- Unexpected VSCode processes running in the background.
- Modifications to VSCode configuration files.
- Unusual outbound connections to Microsoft Azure domains.
Mitigation Strategies
Organizations can adopt several countermeasures to prevent and mitigate MirrorFace attacks:
- Disable Windows Sandbox unless explicitly required. Ensure it is only enabled for legitimate purposes.
- Monitor and restrict WSB file execution. Log all attempts to execute or modify sandbox configurations.
- Implement Endpoint Detection and Response (EDR) solutions. Advanced monitoring tools can help detect anomalies in system behavior.
- Restrict Visual Studio Code Remote Tunneling. Limit external connections to trusted hosts.
- Enforce application allowlisting. Only allow approved software and scripts to be executed.
- Apply security patches promptly. Keep all software and network appliances updated to mitigate known vulnerabilities.
Conclusion
MirrorFace’s innovative use of Windows Sandbox and Visual Studio Code Tunnels demonstrates the evolving nature of cyber espionage tactics. The group has effectively bypassed conventional security measures by leveraging built-in system features for stealthy persistence. Organizations must stay ahead by implementing proactive monitoring, restricting unnecessary features, and reinforcing endpoint security to combat such advanced threats.
Cybersecurity is an ongoing battle, and as adversaries become more sophisticated, defenders must remain vigilant and adapt swiftly to emerging threats. Exploiting legitimate developer tools for malicious cyber espionage is a stark reminder that no software environment is immune to manipulation by threat actors.
References:
https://cybersecuritynews.com/mirrorface-apt-hackers-exploited-windows-sandbox-visual-studio-code/
https://gbhackers.com/mirrorface-apt-using-custom-malware-to-exploited/
