New Cyber Threats In The UK | Chinese Backed Daggerfly – Technologist

Daggerfly, also known as Evasive Panda and Bronze Highland, has extensively updated its malware toolkit to increase its ability to target most major operating systems. The latest analysis reveals that Daggerfly now uses a shared framework to effectively target Windows, Linux, macOS, and Android operating systems. This update signifies a significant escalation in the group’s capabilities, allowing it to conduct more sophisticated and far-reaching cyber espionage operations. This is just one of many new cyber threats in the UK which are causing havoc.

Recent Attacks and Observations

Researchers have observed new malware versions deployed in recent attacks against organisations in Taiwan and a US NGO based in China. These developments underscore the group’s ongoing commitment to enhancing its operational reach and effectiveness.

Daggerfly: A Decade of Espionage

Daggerfly is a Chinese APT (Advanced Persistent Threat) group that has been active for at least a decade, conducting espionage operations internationally and within China. The group is primarily known for developing and using the MgBot malware framework, which boasts a range of information-gathering capabilities. Notably, in April 2023, Symantec reported on a Daggerfly campaign targeting a telecom organisation in Africa, during which the group used new plugins created with the MgBot malware framework.

Campaigns and Tools

In March 2024, ESET highlighted ongoing Daggerfly campaigns targeting Tibetans across various countries and territories. The researchers observed the group’s use of a previously undocumented backdoor called Nightdoor. According to the report published on July 23, 2024, Daggerfly can quickly update its toolset in response to exposure, allowing it to continue its espionage activities with minimal disruption.

Macma and Other Tools

There has also been evidence to suggest that the macOS backdoor Macma, first documented by Google in 2021, was developed by Daggerfly. The modular backdoor has a range of functionalities designed for data exfiltration, including device fingerprinting, executing commands, screen capture, keylogging, audio capture, and file uploading and downloading. A second version of Macma includes incremental updates, such as additional debug logging and updated modules in its appended data.

The main module of Macma exhibited extensive modifications, including new logic to collect a file’s system listing and modified code in the AudioRecorderHelper feature. Symantec has attributed Macma to Daggerfly after observing two variants of the Macma backdoor connected to a command-and-control (C&C) server also used by an MgBot dropper. Macma and other known Daggerfly malware, including MgBot, contain code from a single, shared library or framework, elements of which have been used to build threats targeting Windows, macOS, Linux, and Android systems.

Suzafk: A New Multi-Staged Backdoor

The researchers also highlighted Daggerfly’s use of the Windows backdoor Suzafk, which ESET first documented as Nightdoor in March 2024. Suzafk is a multi-staged backdoor that uses TCP or OneDrive for C&C. It was developed using the same shared library used in MgBot, Macma, and several other Daggerfly tools. Researchers observed a configuration indicating that the functionality to connect to OneDrive is in development or present in different malware variants.

New Cyber Threats in the UK Have Broader Capabilities

In addition to these tools, there is evidence of Daggerfly’s ability to Trojanize Android APKs, intercept SMS messages, intercept DNS requests, and develop malware targeting Solaris OS. This broad range of capabilities highlights the group’s sophisticated and versatile approach to cyber espionage.

So, what can we do about the new cyber threats in the UK?

Daggerfly’s continuous enhancement of its malware toolkit underscores the evolving nature of cyber threats posed by advanced persistent threat groups. Organisations must remain vigilant and adopt comprehensive cyber security measures to protect against such sophisticated attacks.

For help with protecting your business against malware and ransomware, speak to the dedicated cyber security department at Neuways. We are always here to help, and our team gets back to you quickly.

hello@neuways.com

01283 753333