Groups in Taiwan and a U.S. non-governmental organization (NGO) situated in China have been aimed by a Beijing-affiliated state-backed hacking unit known as Daggerfly deploying an enhanced set of malware tools.
The assault signifies that the unit “also carries out internal spying,” according to a new report released today by Symantec’s Threat Hunter Team, a division of Broadcom. The attackers exploited a weakness in an Apache HTTP server to distribute their MgBot malware during the attack on this organization.
Daggerfly, also referred to as Bronze Highland and Evasive Panda, has been previously seen utilizing the MgBot modular malware framework associated with an information gathering operation targeting telecommunication service providers in Africa. It has been active since 2012.
“Daggerfly seems capable of updating its toolset promptly to sustain its espionage activities with minimal interruption,” as mentioned by the company.
The recent series of attacks are characterized by the utilization of a new malware strain based on MgBot and an enhanced version of a familiar Apple macOS malware known as MACMA. The latter was initially discovered by Google’s Threat Analysis Group (TAG) in November 2021 distributed through watering hole attacks targeting internet users in Hong Kong by exploiting security vulnerabilities in the Safari browser.
This development marks the first time that the malware strain, capable of collecting sensitive data and executing arbitrary commands, has been directly associated with a specific hacking group.
“Those responsible for macOS.MACMA were at least reusing code from ELF/Android developers and may have also been aiming at infecting Android devices with malware,” noted SentinelOne in an analysis conducted at that time.
The link between MACMA and Daggerly originates from common source code elements between the malware and Mgbot, in addition to its interaction with a command-and-control (C2) server (103.243.212[.]98) also utilized by a MgBot dropper.
Another new addition to their arsenal is Nightdoor (also known as NetMM and Suzafk), an implant using the Google Drive API for C2 that has been employed in watering hole attacks on Tibetan users since at least September 2023. ESET first detailed this activity in March earlier this year.
“The group has the capability to create variations of their tools for almost all major operating system platforms,” stated Symantec, mentioning evidence of trojanized Android APKs, SMS interception tools, DNS request interception tools, and various malware families targeting Solaris OS.
These developments coincide with the assertion by China’s National Computer Virus Emergency Response Center (CVERC) that Volt Typhoon – identified by Five Eyes nations as a China-related espionage group – is actually fabricated by the U.S. intelligence agencies, branding it as a misinformation campaign.
“Even though its primary targets are U.S. congress and American citizens, it also endeavors to tarnish China’s reputation, sow discord among China and other nations, curb China’s progress, and pilfer Chinese businesses,” stated the CVERC in a recent report.
About Author
