Taiwanese organizations and US non-governmental organizations (NGOs) based in China have been targeted by state-sponsored hacker groups with ties to Beijing. Dagger Fly Uses an upgraded malware toolset.
The attack is evidence that the group “also engages in internal espionage operations,” a team of threat hunters at Symantec, a Broadcom subsidiary, said in a new report published today. “In the attack against this organization, the attackers exploited a vulnerability in Apache HTTP server to deliver the MgBot malware.”
Daggerfly, also known as Bronze Highland and Evasive Panda, has previously been seen using the MgBot modular malware framework in connection with intelligence gathering missions targeting telecommunications service providers in Africa and is known to have been active since 2012.
“Daggerfly appears to have responded to the exposure by quickly updating its toolset, allowing it to continue its espionage operations with minimal disruption,” the company noted.
The latest series of attacks features the use of a new malware family based on MgBot and an improved version of known Apple macOS malware, MACMA, which was first revealed by Google’s Threat Analysis Group (TAG) in November 2021 to have been delivered via a waterholing attack targeting internet users in Hong Kong by exploiting a security flaw in the Safari browser.
The development marks the first time that the malware strain, which is capable of collecting sensitive information and executing arbitrary commands, has been definitively linked to a specific hacking group.
“The attackers behind macOS.MACMA at least reused code from ELF/Android developers and may have targeted Android phones with the malware as well,” SentinelOne noted in a subsequent analysis at the time.
The connection between MACMA and Daggerly also stems from source code overlaps between the malware and Mgbot, and the fact that it connects to a command and control (C2) server (103.243.212(.)98) that is also used by the MgBot dropper.
Another new malware to the company’s arsenal is Nightdoor (aka NetMM, Suzafk), an implant that uses the Google Drive API for C2 and has been used in watering hole attacks targeting users in Tibet since at least September 2023. Details of this campaign were first documented by ESET in early March of this year.
“The group is capable of producing versions of its tools targeting most major operating system platforms,” Symantec said, adding that it has “seen evidence of the ability to trojanize Android APKs, SMS interception tools, DNS request interception tools, and even a malware family targeting the Solaris OS.”
The move comes after China’s National Computer Virus Emergency Response Center (CVERC) claimed that Bolt Typhoon, which has been blamed by the Five Eyes countries for a China-linked spy group, was a US intelligence fabrication and a disinformation campaign.
“Their primary targets are the U.S. Congress and the American people, but they also seek to defame China, sow discord between China and other countries, curb China’s development, and plunder Chinese companies,” CVERC argued in a recent report.
