Daggerfly APT Group

A Beijing-affiliated state-sponsored hacking group known as Daggerfly has targeted organizations in Taiwan and a U.S. non-governmental organization (NGO) operating in China. They have employed an enhanced suite of malware tools in these attacks. This campaign indicates that the group also conducts internal espionage. During the attack on the NGO, the hackers exploited a vulnerability in an Apache HTTP server to deploy their MgBot malware.

The Threatening Arsenal of the Daggerfly APT (Advanced Persistent Threat) Group 

Daggerfly, also known as Bronze Highland and Evasive Panda, has been using the MgBot modular malware framework for intelligence-gathering operations targeting telecom service providers in Africa since 2012. The group is skilled at swiftly updating its toolset in response to detection, allowing it to continue its espionage activities with minimal disruption.

The latest attacks involve a new malware family derived from MgBot and an enhanced version of MACMA, a macOS malware first identified in November 2021. MACMA was initially distributed through watering hole attacks exploiting vulnerabilities in Safari to target users in Hong Kong.

This marks the first explicit connection of MACMA to a specific hacking group, revealing its capability to harvest sensitive information and execute arbitrary commands. Evidence suggests that the creators of MACMA may have reused code from ELF/Android developers, potentially targeting Android devices as well.

MACMA's association with Daggerfly is further supported by overlaps in source code with MgBot and the fact that it communicates with a Command-and-Control (C2) server (103.243.212.98) also used by a MgBot dropper.

Additional Malware Threats Utilized by Daggerfly

Another addition to the group's arsenal is Nightdoor (also known as NetMM and Suzafk). This implant leverages the Google Drive API for Command-and-Control (C2) and has been used in watering hole attacks targeting Tibetan users since at least September 2023. This activity was first documented in March.

The group has demonstrated the capability to develop versions of its tools for major operating systems. Researchers have observed evidence of trojanized Android APKs, SMS interception tools, DNS request interception tools, and malware targeting Solaris OS.

How to Safeguard Your Devices from Malware Threats?

Protecting devices from malware threats requires a multifaceted approach that combines technology, best practices and user vigilance. Here are the best measures users should implement to safeguard their devices:

• Install and Regularly Update Anti-malware Software: Use reputable security software to detect and remove malware, ensuring it is always as up-to-date as possible to protect against the latest threats. Additionally, enable real-time scanning to monitor files and downloads as they are accessed continuously.
• Keep Operating Systems and Software Updated: Enable automatic updates for your operating system, browsers, and applications to receive the latest security patches promptly. If automatic updates are not accessible, regularly check for and install them manually to maintain security.
• Use Firewalls: Ensure the built-in firewall on your operating system is active to block unauthorized access. For additional protection, especially on home or business networks, consider using a hardware firewall.
• Practice Safe Browsing Habits: Avoid visiting websites that appear untrustworthy or have questionable content. Download software from reputable and official sources and avoid clicking on pop-ups or advertisements offering free downloads to minimize the risk of malware.
• Employ Strong Passwords and Two-Factor Authentication (2FA): Always use sufficiently strong passwords for different accounts and change them regularly. Enable 2FA to have another security layer, making it more complicated for potential hackers to gain access.
• Be Cautious with Email and Attachments: Be vigilant about phishing emails designed to trick you into disclosing personal information or downloading malware. Do not access email attachments or click on links from unknown or suspicious sources.
• Regularly Back Up Data: Regularly back up important data to an external hard drive or a cloud service, ensuring you can recover information in case of a malware attack. Periodically, be certain that your backups are complete and can be restored successfully.
• Use Ad Blockers and Anti-tracking Tools: Install ad blockers to reduce the risk of encountering fraudulent advertisements. Additionally, use browser extensions that block tracking scripts to protect your browsing data from being collected.
• Secure Your Network: Change all default usernames and passwords on your router and other network devices. Use strong encryption (WPA3 or WPA2) for your Wi-Fi network and disable WPS to enhance security.
• Educate Yourself and Others: Stay informed about the latest security threats and best practices. Educate family members or employees about safe online behaviors and potential threats to ensure everyone is aware and vigilant.

By integrating these measures on all devices, users are likely to reduce the risk of malware infections and enhance overall security significantly.