A Beijing-affiliated state-sponsored hacking group known as Daggerfly has launched a series of sophisticated attacks on organizations in Taiwan and a US non-governmental organization (NGO) operating in China, according to a new published report by Symantec's Threat Hunter Team, part of Broadcom.
The attackers exploited a vulnerability in an Apache HTTP server to deliver an upgraded version of the MgBot malware. Daggerfly, also known as Evasive Panda or Bronze Highland, has updated its toolkit following public exposure of malware’s variants.
Among the new additions is a novel malware family based on the MgBot modular framework and an updated version of the Macma macOS backdoor. The Macma backdoor was previously disclosed by Google’s threat intelligence team albeit without atrribution to any specific threat actor. Now, Symantec has linked this malware to Daggerfly. The analysis shows that Macma and other Daggerfly malware, such as MgBot, share code from a common library used to build threats across various platforms, including Windows, macOS, Linux, and Android.
Macma implements various functionalities including device fingerprinting, command execution, screen capture, keylogging, audio capture, file uploading and downloading.
The malware was observed being distributed in watering hole attacks involving compromised websites in Hong Kong hosting exploits for iOS and macOS devices. Users of macOS devices were targeted with a privilege escalation vulnerability (CVE-2021-30869) which allowed the attackers to install Macma on vulnerable systems
A new addition to Daggerfly's toolkit is the Windows backdoor known as Trojan.Suzafk, documented by ESET in March 2024 as Nightdoor (also known as NetMM). Suzafk, developed using the same shared library as MgBot and Macma, is a multi-staged backdoor capable of using TCP or OneDrive for command-and-control (C&C) communication.
“New findings provide a clearer picture of the capabilities and resources behind Daggerfly. The group can create versions of its tools targeting most major operating system platforms,” Symantec noted. “In addition to the tools documented here, Symantec has seen evidence of the ability to Trojanize Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting Solaris OS. Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption.”