Chinese Hackers Target Taiwan and U.S. Nonprofits Using MgBot and MACMA Malware

Organizations in Taiwan and a U.S.-based non-governmental organization (NGO) in China have come under attack by Daggerfly, a state-sponsored hacking group affiliated with Beijing, which has employed an upgraded suite of malware tools.

According to a recent report by Symantec’s Threat Hunter Team, part of Broadcom, this campaign indicates that Daggerfly “also engages in internal espionage.” The attackers exploited a vulnerability in an Apache HTTP server to deploy their MgBot malware.

Daggerfly, also known as Bronze Highland and Evasive Panda, has been active since at least 2012. Previously, it was observed using the MgBot modular malware framework for intelligence operations targeting telecom service providers in Africa.

The latest attacks feature a new malware family derived from MgBot and an updated version of a macOS malware called MACMA. Initially identified by Google’s Threat Analysis Group (TAG) in November 2021, MACMA was distributed through watering hole attacks exploiting vulnerabilities in Safari to target users in Hong Kong.

This marks the first explicit link between MACMA and a specific hacking group. SentinelOne’s analysis suggested that the actors behind MACMA might also be reusing code from ELF/Android developers, hinting at potential targeting of Android devices as well.

MACMA’s association with Daggerfly is supported by code similarities between MACMA and MgBot, as well as the fact that both connect to the same command-and-control (C2) server (103.243.212[.]98).

Additionally, Daggerfly has introduced a new malware called Nightdoor (also known as NetMM and Suzafk), which uses the Google Drive API for C2 and has been involved in watering hole attacks targeting Tibetan users since at least September 2023. ESET first documented this activity earlier this March.

“Symantec noted that the group can develop versions of its tools for most major operating systems, citing evidence of malware targeting Android APKs, SMS interception tools, DNS request interception tools, and even Solaris OS.”

In related news, China’s National Computer Virus Emergency Response Center (CVERC) has claimed that Volt Typhoon—a hacking group attributed to China by the Five Eyes nations—is actually a creation of U.S. intelligence agencies, labeling it a misinformation campaign.

CVERC asserted that Volt Typhoon’s primary targets are U.S. Congress members and American citizens, aiming to defame China, create discord between China and other nations, hinder China’s development, and harm Chinese companies.

For more update’s, stay connected with us