Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia
Chinese Cyberespionage Group Expands Malware Arsenal
Symantec Traces 2021 Hong Kong Watering Hole Attacks to DaggerflySecurity researchers say they've traced a spate of backdoor attacks during 2021 against pro-democracy activists in Hong Kong to a Chinese cyberespionage group that has recently retooled its arsenal.
See Also: Modernise Your IT Monitoring with Predictive Analytics
The group, tracked by the Symantec Threat Hunter Team as Daggerfly, is likely behind the previously unattributed Macma backdoor loaded onto iPhone and macOS devices. The likely state-backed threat actor delivered the malware through watering hole attacks targeting online visitors to a Hong Kong media outlet and a "prominent pro-democracy labor and political group," Google researchers said in 2021.
Hong Kong was the site of mass protests against Chinese authoritarianism from 2019 through 2020. Smaller-scale protests continued in 2021 despite the novel coronavirus pandemic and a police crackdown.
The hacking group, also tracked as Evasive Panda and Bronze Highland, is using new iterations of Macma that include improved screen capture functionality and new logic to collect a file's system listing.
Symantec previously spotted Daggerfly attacking a "telecommunications organization" in Africa during 2023.
Threat intel researchers say they were able to link Macma with Daggerfly by identifying overlap with another known Daggerfly tool, the MgBot modular malware framework. Two variants of the Macma backdoor connected to a command-and-control server also used to drop MgBot. Both applications also contain code "from a single, shared library or framework."
The threat actors behind Daggerfly are also deploying a new Windows backdoor, dubbed Trojan, Suzafk or Nightdoor, first identified by Eset researchers earlier this year.
Suzafk, as Symantec tracks it, is a multistage backdoor capable of using either TCP or OneDrive for command-and-control communications. Its loader drops files such as Engine.dll
and MeituUD.exe
.MeituUD.exe
is a legitimate application repurposed for malicious use, and Engine.dll
sets up persistence through scheduled tasks and loads the final payload in memory.