MirrorStealer - S9022 (2f851d4a-18cc-4d7f-9408-b10ef02ee936)

MirrorStealer is a credential stealer that has been used by MirrorFace since at least 2022 to steal credentials from various applications, including browsers and email clients. MirrorStealer has been delivered directly into system memory via commands issued by LODEINFO.(Citation: ESET MirrorFace DEC 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
MirrorStealer - S9022 (2f851d4a-18cc-4d7f-9408-b10ef02ee936)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	1
MirrorStealer - S9022 (2f851d4a-18cc-4d7f-9408-b10ef02ee936)	Malware	Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e)	Attack Pattern	1
MirrorStealer - S9022 (2f851d4a-18cc-4d7f-9408-b10ef02ee936)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	1
MirrorStealer - S9022 (2f851d4a-18cc-4d7f-9408-b10ef02ee936)	Malware	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2