Researchers have linked a beforehand unattributed Mac backdoor and a brand new Home windows Trojan to a Chinese language APT group often called Daggerfly that has been round for over a decade and targets organizations and people world wide. The group seems to be utilizing the identical modular malware growth framework to create threats for Home windows, Linux, macOS and Android.
In current campaigns investigated by researchers from Broadcom’s Symantec Risk Looking workforce, the APT group, additionally recognized within the security trade as Evasive Panda and Bronze Highland, focused organizations from Taiwan and a US NGO primarily based in China. The group has been in operation since 2012 and is extremely succesful, utilizing quite a lot of assault methods together with watering gap net compromises, exploiting vulnerabilities and even trojanized software program updates.
Earlier this yr researchers from cybersecurity agency ESET reported that Evasive Panda focused Tibetans by way of the compromised web site of an essential spiritual pageant and a supply-chain compromise involving Tibetan language translation software program. Final yr, Symantec researchers additionally reported a Daggerfly assault towards a telecommunications firm from Africa.
The group’s flagship malware implant for Home windows since 2018 has been a customized modular backdoor program known as MgBot with capabilities that may be prolonged with completely different plug-ins. Nevertheless, it seems that MgBot is simply one of many backdoors that Daggerfly has developed utilizing the identical framework that powers MgBot.
The unattributed Macma macOS backdoor
Again in November 2021, researchers from Google’s Risk Evaluation Group (TAG) reported a watering gap assault involving compromised web sites in Hong Kong that had been serving iOS and macOS exploits to guests. The macOS assault chain exploited a zero-day vulnerability on the time to ship a beforehand undocumented backdoor that Google TAG named Macma. Watering gap assaults are campaigns the place particular web sites of curiosity to a goal group are compromised, on this case the web sites of a media outlet and a distinguished pro-democracy labor and political group, the purpose being to determine and spy on democracy supporters.
The Macma backdoor was able to fingerprinting gadgets, performing display screen captures, downloading information to and importing information from gadgets, permitting attackers to execute terminal instructions, recording audio and keylogging. Although the malware was subsequently analyzed by a number of corporations and researchers, it was not attributed to any explicit APT group — till now.
The Symantec researchers discovered current variations of Macma that present continued growth and enchancment of assorted modules and options. Furthermore, these newer variants linked to the identical command-and-control (C&C) as an MgBot implant and had code similarities that recommend they had been developed with the identical framework used to develop MgBot.
