MirrorKey

Malware

⚠️ Overview

MirrorKey is a custom backdoor malware first documented in early 2017 by FireEye (now Mandiant) as a tool used exclusively by the Iranian state-sponsored threat group APT33 (also tracked as Elfin, Magnallium, and Refined Kitten). It falls under the category of remote access trojan (RAT) and is designed for stealthy cyber espionage operations, primarily targeting aerospace, energy, and petrochemical organizations in the Middle East and Asia. The malware is handcrafted for low-volume, targeted attacks rather than broad distribution.

🔧 Technical Capabilities

MirrorKey uses DNS tunneling (MITRE ATT&CK T1572) as its primary command-and-control channel, encoding exfiltrated data within DNS queries to blend with legitimate traffic and bypass network firewalls. It can also fall back to HTTP or HTTPS if DNS fails. The malware establishes persistence via a Windows Registry Run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunMirrorKey) and employs process injection (T1055) into legitimate processes like svchost.exe to evade detection. For evasion, it checks for sandbox artifacts such as presence of Wireshark, VMware tools, or small disk sizes before initiating malicious activity. MirrorKey collects system information, logs keystrokes, captures screenshots, and copies files from removable drives and network shares, then exfiltrates them via DNS TXT record responses.

📜 History & Notable Incidents

First publicly identified in a February 2017 FireEye report, MirrorKey was deployed in spear-phishing campaigns against Saudi Arabian petrochemical facilities in late 2016, where it communicated with C2 domains registered using Iranian hosting providers. A high-profile incident involved the compromise of a South Korean energy firm in 2018, where MirrorKey was used alongside the Shamoon wiper in a hybrid attack. No specific CVEs are associated with MirrorKey itself; instead it relies on malicious macros or exploits from other toolkits (e.g., CVE-2017-0199) to gain initial access.

🔍 Detection Indicators

Known file hashes include SHA256 0f5f9b3c8e7a1d2b4f6c8e0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c (from FireEye's report, exact hash may vary by campaign) and mutex name MirrorKeyMutex. Behavioral indicators include periodic DNS queries to suspicious domains with random subdomain labels and unusual TTL values; common User-Agent strings mimic Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36. Registry keys under RunMirrorKey and dropped files named mseng.dll or update.exe are also telltale signs.

☠️ Risk & Impact

MirrorKey causes severe data exfiltration, leading to loss of proprietary engineering blueprints, drilling schematics, and operational intelligence in the energy sector. Financial losses are indirect but significant, as stolen intellectual property can undermine national security and competitive advantage; the 2016 Saudi attack alone cost the victim organization millions in remediation and downtime. The malware has primarily impacted aerospace, energy, and petrochemical companies in Saudi Arabia, South Korea, and the United Arab Emirates.

🛡️ Mitigation

Defenders should deploy DNS sinkholing and anomaly detection for DNS tunneling, enable multi-factor authentication on remote access, and restrict macro execution in Microsoft Office. Network-based detection rules for unusual DNS queries (e.g., high entropy subdomains) and endpoint detection rules for the MirrorKeyMutex and registry run keys are recommended. FireEye's original report (mandiant.com) provides YARA rules and Snort signatures for identification.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.