Researchers have linked a previously unattributed Mac backdoor and a new Windows Trojan to a Chinese APT group known as Daggerfly that has been around for over a decade and targets organizations and individuals around the world. The group appears to be using the same modular malware development framework to create threats for Windows, Linux, macOS and Android.
In recent campaigns investigated by researchers from Broadcom’s Symantec Threat Hunting team, the APT group, also known in the security industry as Evasive Panda and Bronze Highland, targeted organizations from Taiwan and a US NGO based in China. The group has been in operation since 2012 and is highly capable, using a variety of attack techniques including watering hole web compromises, exploiting vulnerabilities and even trojanized software updates.
Earlier this year researchers from cybersecurity firm ESET reported that Evasive Panda targeted Tibetans through the compromised website of an important religious festival and a supply-chain compromise involving Tibetan language translation software. Last year, Symantec researchers also reported a Daggerfly attack against a telecommunications company from Africa.
The group’s flagship malware implant for Windows since 2018 has been a custom modular backdoor program called MgBot with capabilities that can be extended with different plug-ins. However, it turns out that MgBot is just one of the backdoors that Daggerfly has developed using the same framework that powers MgBot.
The unattributed Macma macOS backdoor
Back in November 2021, researchers from Google’s Threat Analysis Group (TAG) reported a watering hole attack involving compromised websites in Hong Kong that were serving iOS and macOS exploits to visitors. The macOS attack chain exploited a zero-day vulnerability at the time to deliver a previously undocumented backdoor that Google TAG named Macma. Watering hole attacks are campaigns where specific websites of interest to a target group are compromised, in this case the websites of a media outlet and a prominent pro-democracy labor and political group, the goal being to identify and spy on democracy supporters.
The Macma backdoor was capable of fingerprinting devices, performing screen captures, downloading files to and uploading files from devices, allowing attackers to execute terminal commands, recording audio and keylogging. Even though the malware was subsequently analyzed by multiple companies and researchers, it was not attributed to any particular APT group — until now.
The Symantec researchers found recent versions of Macma that show continued development and improvement of various modules and features. Moreover, these newer variants connected to the same command-and-control (C&C) as an MgBot implant and had code similarities that suggest they were developed with the same framework used to develop MgBot.
“Macma and other known Daggerfly malware including MgBot all contain code from a single, shared library or framework,” the researchers said. “Elements of this library have been used to build Windows, macOS, Linux, and Android threats. Functionality provided by this library includes: threading and synchronization primitives, event notifications and timers, data marshaling and platform-independent abstractions (e.g. time).”
No code matching these shared elements have been identified in public libraries, which together with the shared C&C between Macma and MgBot strongly suggest it was created by Daggerfly.
A new Windows backdoor
In addition to the new Macma variants, the Symantec team also found a new backdoor for Windows that was also created with the same framework and is being used by the APT group. This backdoor is dubbed Suzafk, but a variant was also documented by ESET in March under the name Nightdoor or NetMM.
Suzafk is a backdoor that connects to a command-and-control server and receives commands that are then executed locally via the Windows cmd.exe command-line interface. Some basic commands such as ipconfig, systeminfo, tasklist and netstat are implemented by default and can be called.
The trojan can either establish a connection to a C&C server via TCP or can connect to a Microsoft OneDrive account for command-and-control purposes. It also comes with a loader component that’s responsible for setting persistence via scheduled tasks and includes code from a public repository called al-khaser that can be used to detect execution inside virtual machines, sandboxes and malware analysis environments.
Symantec’s report includes indicators of compromise such as file hashes and IP addresses that can be used by security teams to build detections inside their networks. The researchers concluded that Daggerfly is a well-resourced and highly adaptable group.
“In addition to the tools documented here, Symantec has seen evidence of the ability to Trojanize Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting Solaris OS,” the researchers said. “Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption.”