Organizations in Taiwan and a U.S. non-governmental organization (NGO) established in China have been attacked by a Beijing-affiliated state-sponsored hacking outfit named Daggerfly employing an improved set of malware tools.
The effort is a clue that the gang "also engages in internal espionage," Symantec's Threat Hunter Team, part of Broadcom, said in a new study published today. "In the attack on this organization, the attackers exploited a vulnerability in an Apache HTTP server to deliver their MgBot malware."Daggerfly, also known by the names Bronze Highland and Evasive Panda, was previously observed employing the MgBot modular malware framework in connection with an intelligence-gathering effort aimed targeting telecom service providers in Africa. It's known to be operating since 2012.
"Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption," the organization observed.
The latest set of attacks are characterized by the use of a new malware family based on MgBot as well as an improved version of a known Apple macOS malware called MACMA, which was first exposed by Google's Threat Analysis Group (TAG) in November 2021 as distributed via watering hole attacks targeting internet users in Hong Kong by abusing security flaws in the Safari browser.
The finding represents the first time the malware strain, which is capable of capturing sensitive information and executing unauthorized orders, has been clearly connected to a particular hacking gang.
"The actors behind macOS.MACMA at least were reusing code from ELF/Android developers and possibly could have also been targeting Android phones with malware as well," SentinelOne stated in a further research at the time.
MACMA's connections to Daggerly also derive from source code overlaps between the malware and Mgbot, and the fact that it connects to a command-and-control (C2) server (103.243.212[.]98) that has also been used by a MgBot dropper.
Another new malware in its arsenal is Nightdoor (aka NetMM and Suzafk), an implant that exploits Google Drive API for C2 and has been deployed in watering hole attacks intended against Tibetan users since at least September 2023. Details of the behavior were initially recorded by ESET earlier this March.
"The group can create versions of its tools targeting most major operating system platform," Symantec claimed, adding it has "seen evidence of the ability to trojanize Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting Solaris OS."
The discovery comes as China's National Computer Virus Emergency Response Center (CVERC) declared Volt Typhoon – which has been identified by the Five Eyes nations as a China-nexus espionage outfit – to be an invention of the U.S. intelligence services, calling it as a misinformation campaign.
"Although its main targets are U.S. congress and American people, it also attempt[s] to defame China, sow discords [sic] between China and other countries, contain China's development, and rob Chinese companies," the CVERC said in a recent study.