Chinese hackers strike Taiwan, US NGO with malicious MgBot malware

July 24, 2024
1 min read



TLDR:

Chinese hackers affiliated with Beijing target organizations in Taiwan and a US NGO with an upgraded set of malware tools called MgBot. The group, known as Daggerfly, is also engaged in internal espionage, according to Symantec’s Threat Hunter Team. This attack exploited a vulnerability in an Apache HTTP server to deliver the malware. Daggerfly has been operational since 2012 and is adept at quickly updating its toolset to continue espionage activities with minimal disruption. The latest attacks include a new malware family based on MgBot and an improved version of Apple macOS malware called MACMA. This marks the first time MACMA has been linked to a specific hacking group.

Full Article:

Chinese hackers targeted organizations in Taiwan and a U.S. NGO with an upgraded set of malware tools called MgBot. The group responsible, known as Daggerfly, is affiliated with Beijing and is also engaged in internal espionage activities. According to Symantec’s Threat Hunter Team, the attackers exploited a vulnerability in an Apache HTTP server to deliver the MgBot malware.

Daggerfly, also known as Bronze Highland and Evasive Panda, has been observed using the MgBot malware framework in previous intelligence-gathering missions in Africa and has been operational since 2012. The group is capable of quickly updating its tools to continue espionage activities with minimal disruption.

The latest attacks by Daggerfly involve a new malware family based on MgBot and an improved version of the Apple macOS malware called MACMA. This is the first time that MACMA has been explicitly connected to a specific hacking group.

In addition to MACMA, Daggerfly has also introduced a new malware called Nightdoor, which uses the Google Drive API for command and control. Nightdoor has been utilized in watering hole attacks targeting Tibetan users since at least September 2023.

Symantec has noted that Daggerfly has the capability to create versions of its tools for targeting most major operating systems, including Android, Solaris, and DNS request interception tools.

This campaign comes amidst claims by China’s National Computer Virus Emergency Response Center (CVERC) that Volt Typhoon, a China-nexus espionage group attributed by Five Eyes nations, is actually an invention of U.S. intelligence agencies. The CVERC alleges that Volt Typhoon aims to defame China, sow discord between China and other countries, and contain China’s development.

Overall, the targeting of organizations in Taiwan and a U.S. NGO by Daggerfly underscores the ongoing cybersecurity threats posed by state-sponsored hacking groups and the need for enhanced defenses against such attacks.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and