A Beijing-linked state-sponsored hacking group known as Daggerfly has targeted organizations in Taiwan and a U.S. non-governmental organization (NGO) operating in China, deploying an upgraded suite of malware tools in its most recent campaign.
This sophisticated operation highlights the group’s engagement in internal espionage activities, as reported today by Symantec’s Threat Hunter Team, a division of Broadcom. Their analysis revealed that attackers exploited a vulnerability in an Apache HTTP server to distribute MgBot malware during an assault on these entities.
Daggerfly, which is also referred to as Bronze Highland or Evasive Panda, has previously employed the MgBot modular malware framework in intelligence-gathering efforts, particularly targeting telecommunications providers in Africa since being active since 2012.
Symantec emphasized that Daggerfly demonstrates a remarkable capacity for rapid adaptation, swiftly revising its toolset to sustain espionage operations with minimal hindrance. The latest attacks introduce a new family of malware based on MgBot and an enhanced version of MACMA, a malicious software for Apple macOS systems. This malware, initially uncovered by Google’s Threat Analysis Group in November 2021, was disseminated through watering hole attacks exploiting vulnerabilities in the Safari browser, primarily directed at internet users in Hong Kong.
This new information links the MACMA strain, capable of exfiltrating sensitive data and executing arbitrary commands, to Daggerfly for the first time. Further analysis by SentinelOne noted that the authors of MACMA appeared to reuse code from ELF/Android developers, suggesting a potential focus on malware specifically targeting Android devices as well.
Notably, overlaps in source code between MACMA and MgBot, along with connections to a command-and-control (C2) server previously utilized by the MgBot dropper, reaffirm the correlation to Daggerfly. The latest addition to the group’s arsenal includes Nightdoor (also identified as NetMM and Suzafk), an implant that leverages Google Drive API for command-and-control communication. Nightdoor has been implicated in watering hole attacks focused on Tibetan users since at least September 2023, with ESET documenting these activities earlier this month.
Symantec elaborated that Daggerfly’s capabilities extend across various major operating systems, indicating evidence of their ability to modify Android APKs and develop tools for intercepting SMS messages, DNS requests, and even targeting Solaris OS.
This development occurs amidst China’s National Computer Virus Emergency Response Center (CVERC) asserting that Volt Typhoon, which has been deemed a China-aligned espionage group by Five Eyes nations, is allegedly a creation of U.S. intelligence agencies, framing it as a misinformation effort. The CVERC’s report alleges that these efforts aim not only to undermine U.S. Congress and citizens but also to exacerbate discord between China and other nations while impeding the country’s development and target its enterprises.
The tactics employed by Daggerfly can be contextualized within the MITRE ATT&CK framework. Initial access techniques likely include exploiting software vulnerabilities, while persistence mechanisms and privilege escalation may have been utilized to maintain control within targeted networks.
