The espionage group Daggerfly updated its toolset with new malware versions likely to bypass detection, including a new malware family based on the MgBot framework and a new version of Macma macOS backdoor, which suggests that Daggerfly is the developer of Macma.
The attackers exploited a vulnerability in an Apache HTTP server to deliver MgBot malware in recent attacks targeting organizations in Taiwan and a U.S. NGO in China, indicating Daggerfly’s capability for both international and internal espionage.
Macma, a modular macOS backdoor first documented in 2021, leveraged watering hole attacks to gain access via a privilege escalation vulnerability.
One variant contained a new main module with different configuration data, while another included incremental updates like new logic for file system listing and modified audio recording functionalities, which suggest that the threat actor continues to refine Macma’s capabilities.
A new variant of Macma was discovered, containing incremental updates and more extensive modifications, which include refreshed modules, adjusted file paths, and additional logging.
The main module exhibited significant changes, including new logic for file system listing using the Tree utility, updates to the AudioRecorderHelper feature, additional parameters, and a new file (param2.ini) likely for autoScreenCaptureInfo settings.
Another module contained modified code that allowed the user to control the size of captured screenshots as well as the aspect ratio.
Symantec linked Macma backdoors to the Daggerfly APT group based on shared infrastructure and code. Two Macma variants used the same C&C server as an MgBot dropper, and both Macma and other Daggerfly malware (MgBot included) contained a common code library providing functionalities like threading and platform-independent abstractions.
This library used magic strings like “inp” and “tim” for communication, potentially within the same process. The presence of this unique library across different malware families suggests Macma is part of the Daggerfly toolkit.
The Daggerfly APT group is using a new backdoor, Trojan.Suzafk (aka Nightdoor), alongside their MgBot malware, is a multi-stage backdoor capable of using OneDrive or TCP for communication.
It leverages legitimate applications like DAEMON Tools Lite Helper to establish persistence and anti-analysis techniques to evade detection in sandboxes. The backdoor stores configuration data XOR-encrypted under C:\ProgramData\Office directory.
The malware configuration reveals communication details with the C&C server (103.96.131.150) and functionalities for system reconnaissance, by retrieving local MAC addresses but avoiding sending emails and network data (CMD_SEND_SN=0, SEND_EMAIL_NUM=0).
Established communication keys (BSK, PRK) with version 1 (VER=1) suggest active control, as the malware leverages the cmd.exe shell for command execution (ipconfig, systeminfo, tasklist, netstat) and potentially for information gathering.