Entities in Taiwan and a U.S. non-governmental organization (NGO) situated in China have been singled out by a Beijing-associated state-backed hacking team known as Daggerfly employing an enhanced collection of malware tools.
The offensive signifies that the group “also actively participates in internal espionage,” as per a newly published report by Symantec’s Threat Hunter Team, belonging to Broadcom, stated today. “Within the breach on this organization, the attackers utilized a vulnerability in an Apache HTTP server to distribute their MgBot malware.”
Daggerfly, also recognized by the aliases Bronze Highland and Evasive Panda, was previously spotted using the MgBot modular malware framework in connection with an intelligence-gathering task targeted at telecom service providers in Africa. It has been operational since 2012.
“Daggerfly seems to possess the capability to adjust its toolset swiftly in response to exposure, allowing it to resume its espionage pursuits with minimal interruption,” as highlighted by the company.
The most recent assaults are marked by the deployment of a new malware lineage rooted in MgBot as well as an enhanced iteration of a recognized Apple macOS malware known as MACMA, which was initially uncovered by Google’s Threat Analysis Group (TAG) in November 2021 through the exploitation of watering hole attacks targeting internet users in Hong Kong via misuse of security vulnerabilities in the Safari browser.
The development signifies the first instance that the malware variant, capable of extracting sensitive data and executing arbitrary commands, has been directly linked to a specific hacking outfit.
“The individuals behind macOS.MACMA were at least reusing code from ELF/Android developers and could have been targeting Android phones with malware as well,” as highlighted by SentinelOne pointed out in a follow-up analysis at that time.
The connections of MACMA to Daggerly also emerge from code overlaps between the malware and Mgbot, and the revelation that it establishes a connection to a command-and-control (C2) server (103.243.212[.]98) that has been utilized by a MgBot dropper as well.
Another novel malware in its inventory is Nightdoor (also known as NetMM and Suzafk), an implant employing Google Drive API for C2 and has been employed in watering hole attacks directed at Tibetan users since at least September 2023. Details of these activities were initially documented by ESET earlier in March.
“The team is capable of producing variants of its tools to target a majority of leading operating system platforms,” as stated by Symantec, further revealing evidence of its ability to infiltrate Android APKs, SMS interception tools, DNS request interception tools, and even malware categories focusing on Solaris OS.”
This development occurs as the National Computer Virus Emergency Response Center of China (CVERC) declared Volt Typhoon – a China-associated espionage faction attributed by the Five Eyes nations – to be a fabrication of the U.S. intelligence bureaus, portraying it as a misinformation campaign.
“While its primary targets are the U.S. congress and American citizens, it also endeavors to tarnish China’s reputation, foster discord between China and other nations, restrict China’s progress, and steal from Chinese enterprises,” as asserted by the CVERC emphasized in a recent report.
About Author
