An In-depth Look into Daggerfly’s Tactics: Explores New Methods for Malware Deployment
Daggerfly, an infamous Chinese espionage group, has made headlines once again. Also known as Evasive Panda and Bronze Highland, this group is synonymous with substantial technology advancements attributed to its revised malware removal toolkit. Symantec’s recent analysis reveals the extent to which this criminal collective can now infiltrate a wide range of major operating systems (OS).
The recent advancements in their framework suggest a concerted effort by the group to perform efficient, holistic attacks on Windows, Linux, macOS, and Android OS. These observations were made amidst a cloud flurry of new malware versions being set against organizations in Taiwan and a US NGO operating in China.
Delving Into Daggerfly
Touted as a resolute Chinese APT group, Daggerfly holds over ten years of experience, carrying out covert activities both inside and outside China. The group is most recognized for creating and deploying the MgBot malware framework, a tool equipped with vast information-gathering mechanisms.
In their 2023 report, Symantec elaborated on the Daggerfly campaign targeting an African telecommunications organization. Here, the group had wielded new plugins developed within the MgBot malware framework. By March 2024, ESET brought attention to Daggerfly’s continuous campaigns against Tibetans in numerous countries and territories, citing the employment of an anonymous backdoor named Nightdoor.
Daggerfly’s adaptability has been highlighted significantly with their ability to update their toolkit swiftly following any exposure, thus ensuring their operations continue with minimal disruption.
Daggerfly’s Latest Arsenal Upgrades
According to Symantec, there is credible evidence which suggests that the macOS backdoor Macma was a Daggerfly innovation. Though it was initially documented by Google in 2021, the malware’s use can be traced back to 2019.
The backdoor system offers a range of features for data exfiltration that include, but are not limited to, device fingerprinting, keylogging, screen and audio capture, executing commands, and file uploading and downloading. The updated version of Macma has new signs of debugging and up-to-date modules embedded in its data.
The main module appears to be thoroughly modified, particularly in the AudioRecorderHelper feature, and displays logic to amass a system’s file listing. Symantec attributes Macma to Daggerfly, having observed two variants of the Macma backdoor linked to a command-and-control (C&C) server, used also by an MgBot dropper.
Along with Macma, Daggerfly’s malware like Mgbot contains code from a shared library or framework. This particular library or framework has been used to generate threats for Windows, macOS, Linux, and Android.
Noteworthy is Daggerfly’s use of the Windows backdoor Suzafk, which was originally documented as Nightdoor by ESET in March 2024. This multi-staged backdoor is capable of using TCP or OneDrive for C&C and shares a library with Mgbot, Macma, and other Daggerfly tools. Researchers have highlighted that the mechanism to connect to OneDrive is under development or exists in other malware variants.
In line with the above findings, Symantec has unearthed evidence that Daggerfly also has the capacity to Trojanize Android APKs, intercept SMSs, intercept DNS requests, and target the Solaris OS with malware families. They conclude that Daggerfly’s mastery in hacking with these tools possesses highly advanced malware removal capabilities. They have shown their adeptness in multiple hacked WordPress help scenarios and have been able to fix hacked WordPress websites, redefining the intrusive activities they undertake.
Need security services for your WordPress site? Contact DrGlenn for protection and recovery. Order Services Today!.