Prolific Chinese language espionage group Daggerfly (aka Evasive Panda, Bronze Highland) has extensively up to date its malware toolkit, rising its skills to focus on most main working methods (OS), in response to an evaluation by Symantec.
The newest developments counsel the group is utilizing a shared framework to allow it to successfully goal Home windows, Linux, macOS and Android OS.
The researchers noticed the group deploying new malware variations in current assaults in opposition to organizations in Taiwan and a US NGO based mostly in China.
Daggerfly Defined
Daggerfly is a Chinese language APT group that has been energetic for at the least a decade, conducting espionage operations each internationally and internally inside China.
The group is primarily recognized for its improvement and use of the MgBot malware framework, which has a variety of information-gathering capabilities.
In April 2023, Symantec reported on a Daggerfly marketing campaign focusing on a telecoms group in Africa, through which the group used new plugins created with the MgBot malware framework.
In March 2024, ESET highlighted ongoing Daggerfly campaigns focusing on Tibetans throughout numerous nations and territories. The researchers noticed the group’s use of a beforehand undocumented backdoor referred to as Nightdoor.
“Daggerfly seems to be able to responding to publicity by rapidly updating its toolset to proceed its espionage actions with minimal disruption,” wrote Symantec within the new evaluation, revealed on July 23, 2024.
Newest Updates to Daggerfly’s Arsenal
Symantec stated it has discovered proof suggesting the macOS backdoor Macma was developed by Daggerfly. Macma was first documented by Google in 2021 however seems to have been in use since at the least 2019.
Google’s preliminary evaluation highlighted that modular backdoor has a variety of functionalities designed for knowledge exfiltration, together with machine fingerprinting, executing instructions, display seize, keylogging, audio seize and importing and downloading information.
A second model of Macma incorporates incremental updates to this current performance, together with extra debug logging and up to date modules in its appended knowledge.
Its principal module exhibited proof of extra intensive modification, together with new logic to gather a file’s system itemizing and modified code within the AudioRecorderHelper characteristic.
Symantec has attributed Macma to Daggerfly after observing two variants of the Macma backdoor related to a command-and-control (C&C) server that was additionally utilized by an MgBot dropper.
Moreover, Macma and different recognized Daggerfly malware together with Mgbot all comprise code from a single, shared library or framework, parts of which have been used to construct Home windows, macOS, Linux, and Android threats.
The researchers additionally highlighted Daggerfly’s use of Home windows backdoor Suzafk, which ESET first documented as Nightdoor in March 2024.
Suzafk is a multi-staged backdoor able to utilizing TCP or OneDrive for C&C. It was developed utilizing the identical shared library utilized in Mgbot, Macma, and numerous different Daggerfly instruments.
The researchers noticed a configuration indicating that the performance to hook up with OneDrive is in improvement or current in different variants of the malware.
Along with the above instruments, Symantec stated it has seen proof of Daggerfly’s potential to Trojanize Android APKs, SMS interception instruments, DNS request interception instruments, and even malware households focusing on Solaris OS.
