Chinese APT Group Daggerfly Enhances Its Malware Arsenal

July 24, 2024

Chinese APT group Daggerfly, also known as Evasive Panda or Bronze Highland, has updated its malware toolkit with a new malware family and an enhanced version of the Macma macOS backdoor. The changes in the group's toolset are likely in response to the exposure of its older malware versions.

The group has utilized these updated tools in several recent attacks, targeting organizations in Taiwan and a U.S. NGO based in China, indicating that the group also engages in internal espionage. In these attacks, Daggerfly exploited a vulnerability in an Apache HTTP server to deliver their MgBot malware.

Daggerfly has been active for at least a decade, known for its use of the custom MgBot malware framework. In 2023, Symantec identified an intrusion by Daggerfly at an African telecom operator, where the group used new MgBot plugins. This incident underscores the group's continuous evolution in cyber espionage tactics.

The Macma macOS backdoor was first detailed by Google in 2021 and has been in use since at least 2019. At the time of its discovery, the malware was used in watering hole attacks involving compromised websites in Hong Kong. The attacks exploited the privilege escalation vulnerability CVE-2021-30869 to install Macma on macOS devices.

Macma is a modular backdoor with various functionalities, including device fingerprinting, executing commands, screen capture, keylogging, audio capture, and file uploading and downloading. Although Macma was widely used in cyber operations by nation-state actors, it was not linked to a specific group. However, Symantec has found evidence to suggest that it is part of the Daggerfly toolkit.

In addition to shared infrastructure, Macma and other malware in Daggerfly’s arsenal, including Mgbot, contain code from a single, shared library or framework. This library has been used to build threats targeting Windows, macOS, Linux, and Android platforms.

The group's toolkit also includes another malware, Suzafk (aka ‘NetMM’, Nightdoor), which ESET researchers linked to Evasive Panda in March. Suzafk is a multi-staged backdoor capable of using TCP or OneDrive for C&C. The backdoor includes code from the al-khaser project, a public code repository developed to avoid detection by detecting virtual machines, sandboxes, and malware analysis environments.

Daggerfly has demonstrated its ability to create versions of its tools targeting most major operating system platforms. In addition to the tools documented, Symantec has seen evidence of the group's ability to Trojanize Android APKs, create SMS interception tools, DNS request interception tools, and even malware families targeting the Solaris OS. Daggerfly's agility in updating its toolset in response to exposure enables it to continue its espionage activities with minimal disruption.

Latest News

• CISA Adds Two More Vulnerabilities to its Exploited Flaws Catalog
• Ukrainian Research Institution Targeted by HATVIBE and CHERRYSPY Malware
• CISA Updates Known Exploited Vulnerabilities Catalog with Adobe, SolarWinds, and VMware Bugs
• Critical Vulnerability in Cisco's Security Email Gateway Patched
• Critical Cisco Vulnerability Allows Password Alterations