The China-linked APT group Daggerfly (aka Evasive Panda or Bronze Highland) has significantly updated its malware arsenal, adding a new malware family based on the MgBot framework and an updated Macma macOS backdoor<\/a>.<\/p>\n\n\n\n
“The Daggerfly (aka Evasive Panda, Bronze Highland) espionage group has extensively updated its toolset, introducing several new versions of its malware, most likely in response to exposure of older variants.” reads the report<\/a>.<\/em>\u00a0“The new tooling was deployed in a number of recent attacks against organizations in Taiwan and a\u00a0U.S. NGO based in China, which indicates the group also engages in internal espionage. In the attack on this organization, the attackers exploited a vulnerability in an Apache HTTP server to deliver their MgBot malware.
The Macma macOS backdoor was\u00a0first detailed by Google in 2021<\/a>\u00a0and has been used since at least 2019. At the time of discovery, threat actors employed the malware in watering hole attacks involving compromised websites in Hong Kong. The watering hole attacks used exploits for iOS and macOS devices. Attackers exploited the privilege escalation vulnerability CVE-2021-30869<\/a> to install Macma on macOS devices.<\/p>\n\n\n\n
The new variants used by Daggerfly implement the following additions\/improvements:<\/p>\n\n\n\n
“Suzafk is a multi-staged backdoor capable of using TCP or OneDrive\u00a0for C&C. The malware contained the following configuration, indicating the functionality to connect to OneDrive is in development or present in other variants of the malware.” continues the report<\/a>.<\/em><\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/strong><\/a><\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, Daggerfly)<\/strong>