A known APT espionage group has updated its toolset in a number of recent attacks against organizations in Taiwan, as well as a U.S. non-governmental organization in China.
The group, known as Daggerfly, has been around for at least a decade and was previously discovered targeting a telecommunications organization in Africa in a 2023 campaign that leveraged the MgBot malware. MgBot is a modular framework with various plugins enabling network scanning, information stealing abilities for browsers like Chrome and Firefox and for the QQ chat tool, keylogging, password dumping and other espionage capabilities.
This latest series of campaigns by Daggerfly, which exploited an unknown vulnerability in an Apache HTTP server as initial access, also include MgBot, but this time the group has been using a new version of the previously discovered Macma MacOS backdoor. Macma was discovered in 2021 as part of APT activity targeting Mac users visiting Hong Kong websites that supported pro-democracy activism. The backdoor has various features like screen capture, audio recording, device fingerprinting and keylogging.
“While Macma is a previously documented threat, it had hitherto been of unknown authorship,” according to a new analysis by Symantec released Tuesday. “However, Symantec’s Threat Hunter Team has now found evidence suggesting that it is developed by Daggerfly.”
Researchers said the recent Macma variants illustrated ongoing development, including a different main module and updates to various existing functionalities. For instance, the main module has been updated to include modified code in the AudioRecorderHelper feature and new logic for collecting a file’s system listing.
“By and large we are seeing evidence of small, iterative updates to the malware that appear to be intended to improve its functionality and iron out bugs,” said Dick O’Brien, principal intelligence analyst with the Symantec Threat Hunter Team. “The updated main module appears to be the most significant update and will likely improve the quality of data they harvest from infected computers.”
They also found several clues allowing them to “confidently” link Macma to Daggerfly. For example, two variants of the Macma backdoor were connected to a command-and-control server also used by an MgBot dropper. Also, Macma and known Daggerly malware, like MgBot, all contain code from a single shared library or framework, which has been used to build various Windows, macOS, Linux and Android threats.
“Symantec has yet to find any matching code in public repositories,” said researchers. “Shared code and shared infrastructure between Macma and other Daggerfly tools suggests that Macma is also part of the Daggerfly toolkit.”
Researchers also found the group using a recently discovered Windows backdoor, which first emerged in March 2024 by ESET researchers.This backdoor has used OneDrive for its command-and-control communications. Overall these campaigns highlight a more detailed picture of Daggerfly’s capabilities and resources, particularly as it continues to evolve its tooling, said researchers. The threat group seems to have the ability to quickly update its toolset in espionage attacks with minimal disruption, they said.
“This group has demonstrated an ability to create malware capable of targeting multiple platforms,” said O’Brien. “We think it's very likely that they'll continue to broaden their toolset in this vein but continue with its narrow range of targeting.”