MirrorFace Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (193)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en142
zh18
ru12
ja6
pt4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us86
cn58
ru36
pt4
es2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

MirrorFace4
RedLine Stealer3
Cobalt Strike2
xStart1
Tofsee1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined54
Web Server16
Content Management System16
Programming Language Software10
Smartphone Operating System8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined54
Apache12
Microsoft12
Huawei6
SourceCodester4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft IIS6
Apache HTTP Server6
Traefik6
Huawei P84
gnuboard54

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Esoftpro Online Guestbook Pro ogp_show.php sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.100.00108CVE-2009-4935
2Microsoft Edge PDF Reader memory corruption6.05.7$25k-$100k$5k-$25kNot DefinedOfficial Fix0.000.44753CVE-2020-1568
3nginx request smuggling6.96.9$0-$5k$0-$5kNot DefinedNot Defined0.100.00241CVE-2020-12440
4Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25k$0-$5kHighWorkaround0.020.02016CVE-2007-1192
5Tiki Admin Password tiki-login.php improper authentication8.07.7$0-$5k$0-$5kNot DefinedOfficial Fix4.840.00936CVE-2020-15906
6MGB OpenSource Guestbook email.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.590.01302CVE-2007-0354
7Joomla CMS com_easyblog sql injection6.36.1$5k-$25k$5k-$25kNot DefinedNot Defined0.270.00000
8HP Router/Switch SNMP information disclosure3.73.4$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.040.00285CVE-2012-3268
9Esoftpro Online Guestbook Pro ogp_show.php cross site scripting4.34.2$0-$5k$0-$5kHighUnavailable0.040.00209CVE-2009-2441
10vBulletin redirector.php6.66.6$0-$5k$0-$5kNot DefinedNot Defined0.070.00141CVE-2018-6200
11OpenBB read.php sql injection7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.060.00250CVE-2005-1612
12Apache Struts ExceptionDelegator input validation8.88.4$5k-$25k$0-$5kHighOfficial Fix0.020.36440CVE-2012-0391
13Schneider Electric Vijeo Designer path traversal5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00246CVE-2021-22704
14DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.680.00943CVE-2010-0966
15Hscripts PHP File Browser Script index.php path traversal5.95.9$0-$5k$0-$5kNot DefinedNot Defined0.000.00153CVE-2018-16549
16Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.080.00817CVE-2014-4078
17Phplinkdirectory PHP Link Directory conf_users_edit.php cross-site request forgery6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.070.00526CVE-2011-0643
18Microsoft Windows Win32k Privilege Escalation8.37.7$100k and more$0-$5kFunctionalOfficial Fix0.000.00148CVE-2021-40449
19OneLogin Ruby-saml XML DOM improper authentication8.38.3$0-$5k$0-$5kNot DefinedNot Defined0.000.01056CVE-2017-11428
20Sphinx missing authentication7.47.3$0-$5k$0-$5kNot DefinedWorkaround0.030.01038CVE-2019-14511

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • LiberalFace

IOC - Indicator of Compromise (5)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.8.95.174free.dsMirrorFaceLiberalFace12/20/2022verifiedHigh
2XX.XX.XX.XXXxx.xx.xx.xxx.xxxxxxxxxxxxxxxx.xxxXxxxxxxxxxXxxxxxxxxxx12/20/2022verifiedHigh
3XXX.XXX.XX.XXXxxxxxxxxxXxxxxxxxxxx12/20/2022verifiedHigh
4XXX.XXX.XXX.XXxxx.xxx.xxx.xx.xxxxxxxxxxxxxxxx.xxxXxxxxxxxxxXxxxxxxxxxx12/20/2022verifiedHigh
5XXX.XXX.XXX.XXXxxxxxx-xxx.xxxxxxx.xxxxxx.xxxXxxxxxxxxxXxxxxxxxxxx12/20/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (15)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-21, CWE-22Path TraversalpredictiveHigh
2T1055CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CWE-94, CWE-1321Argument InjectionpredictiveHigh
4TXXXX.XXXCWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
7TXXXX.XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXX.XXXCWE-XXXXxxxxxx Xxxxxxxxxx Xxx Xxxxxxxx Xxxxxxx Xx Xx-xxxx Xxxxxx XxxxxxxxpredictiveHigh
12TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
14TXXXX.XXXCWE-XXXxxxxxxxxxxxxpredictiveHigh
15TXXXXCWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (93)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/+CSCOE+/logon.htmlpredictiveHigh
2File/balance/service/listpredictiveHigh
3File/index.phppredictiveMedium
4File/members/view_member.phppredictiveHigh
5File/mhds/clinic/view_details.phppredictiveHigh
6File/owa/auth/logon.aspxpredictiveHigh
7File/rest/api/latest/projectvalidate/keypredictiveHigh
8File/secure/admin/InsightDefaultCustomFieldConfig.jspapredictiveHigh
9File/SSOPOST/metaAlias/%realm%/idpv2predictiveHigh
10File/uncpath/predictiveMedium
11FileActivityManagerService.javapredictiveHigh
12Filexxxxxxx.xxxpredictiveMedium
13Filexxxxx.xxxxxxxxx.xxxpredictiveHigh
14Filexxxxx/xxxx_xxxxx_xxxx.xxxpredictiveHigh
15Filexxxxxxx.xxpredictiveMedium
16Filexxx/xxx.xxxpredictiveMedium
17Filexxx-xxx/xxxxxxx.xxpredictiveHigh
18Filexxxxx.xxxpredictiveMedium
19Filexxxx/xxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxx/xxx/xxxxxx.xxxxxxxxx.xxxpredictiveHigh
20Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
21Filexxxxxxxxx/xxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
22Filexxxxx.xxxpredictiveMedium
23Filexxx/xxxx/xxxx.xpredictiveHigh
24Filexxxxxxxxxxx/xxxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
25Filexxxxx.xxxxpredictiveMedium
26Filexxx/xxxxxx.xxxpredictiveHigh
27Filexxxxx.xxxpredictiveMedium
28Filexxxxxxxxx/xxxxxxxxxxxxxxxx/xxxxxxxxxxxx/predictiveHigh
29Filexxxxxxxx/xx/xxxx.xxpredictiveHigh
30Filexxxxxxx/xxxxx/xx/xxxxxx/xxxxx.xxxxx.xxxpredictiveHigh
31Filexxxx.xxxpredictiveMedium
32Filexxxxxx_xxxxxxxxx.xxpredictiveHigh
33Filexxx_xxxxx_xxxx.xpredictiveHigh
34Filexxx/xxxxxpredictiveMedium
35Filexxx_xxxx.xxxpredictiveMedium
36Filexxxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
37Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveHigh
38Filexxxx.xxxpredictiveMedium
39Filexxxxxxxxxx.xxxpredictiveHigh
40Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
41Filexxx/xxxx/xxxx/xxx.xxxxxxxx.xxxxxxx/xxxxxxx/xxx/xxxxxx.xxxxpredictiveHigh
42Filexxxx-xxxxx.xxxpredictiveHigh
43Filexxxx-xxxxxxxx.xxxpredictiveHigh
44Filexxx.xpredictiveLow
45Filexxxx_xxxxxxxx_xxxxxxx.xxxpredictiveHigh
46Filexxxxxxxxxx.xxxpredictiveHigh
47Filexxxx/xxxx_xxx_xxxxxx.xpredictiveHigh
48File~/xxxxxxxx/xxx-xxxxxxxxx/xxxxx/xxxxx-xxx-xxxxx-xxxxxxxx.xxxpredictiveHigh
49File~/xxxxx-xxxxxx/xxxxxx_xx.xxxpredictiveHigh
50Library/_xxx_xxx/xxxxx.xxxpredictiveHigh
51Libraryxxx/xxxxxx.xpredictiveMedium
52ArgumentxxxxxxxxpredictiveMedium
53ArgumentxxxxxxxxxxpredictiveMedium
54Argumentxx_xxxxx_xxxxxx_xxxpredictiveHigh
55ArgumentxxxxxxxxxpredictiveMedium
56ArgumentxxxxxxpredictiveLow
57ArgumentxxxxxxxxxxxxxxxxpredictiveHigh
58ArgumentxxxxpredictiveLow
59ArgumentxxxxxxxpredictiveLow
60ArgumentxxxxxpredictiveLow
61ArgumentxxxxpredictiveLow
62ArgumentxxxxxxxxpredictiveMedium
63Argumentxx_xxpredictiveLow
64Argumentxxxxxxxxx/xxxxxxpredictiveHigh
65ArgumentxxxxxxxxxpredictiveMedium
66ArgumentxxxxpredictiveLow
67ArgumentxxpredictiveLow
68ArgumentxxxxpredictiveLow
69ArgumentxxxpredictiveLow
70ArgumentxxxxpredictiveLow
71Argumentxxxxxx xxxxxxpredictiveHigh
72ArgumentxxxxxxxpredictiveLow
73ArgumentxxxxxxxxpredictiveMedium
74ArgumentxxxxpredictiveLow
75ArgumentxxxxxxxpredictiveLow
76Argumentxxxxx_xxxxxxpredictiveMedium
77ArgumentxxxxxxxxxxpredictiveMedium
78ArgumentxxxxxxpredictiveLow
79Argumentxxxxx/xxxxxxxpredictiveHigh
80ArgumentxxxxxxxxxxxpredictiveMedium
81ArgumentxxxxpredictiveLow
82ArgumentxxxpredictiveLow
83ArgumentxxxpredictiveLow
84ArgumentxxxpredictiveLow
85ArgumentxxxxxxxxpredictiveMedium
86ArgumentxxxxxpredictiveLow
87Argumentx-xxxxxxxxx-xxxxxxpredictiveHigh
88Input Value../predictiveLow
89Input Value.xxx?/../../xxxx.xxxpredictiveHigh
90Input Value/xxx/xxxxxxpredictiveMedium
91Input Valuexxxxx' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx) xxx 'xxxx'='xxxx&xxxxxxxx=xxxxxxxxxxpredictiveHigh
92Input Valuex=xpredictiveLow
93Network Portxxx/xxx (xxxx)predictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!