Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia

Chinese Cyberespionage Group Expands Malware Arsenal

Symantec Traces 2021 Hong Kong Watering Hole Attacks to Daggerfly
Chinese Cyberespionage Group Expands Malware Arsenal
A mass protest in Hong Kong on Jan. 1, 2020 (Image: Shutterstock)

Security researchers say they've traced a spate of backdoor attacks during 2021 against pro-democracy activists in Hong Kong to a Chinese cyberespionage group that has recently retooled its arsenal.

See Also: Modernise Your IT Monitoring with Predictive Analytics

The group, tracked by the Symantec Threat Hunter Team as Daggerfly, is likely behind the previously unattributed Macma backdoor loaded onto iPhone and macOS devices. The likely state-backed threat actor delivered the malware through watering hole attacks targeting online visitors to a Hong Kong media outlet and a "prominent pro-democracy labor and political group," Google researchers said in 2021.

Hong Kong was the site of mass protests against Chinese authoritarianism from 2019 through 2020. Smaller-scale protests continued in 2021 despite the novel coronavirus pandemic and a police crackdown.

The hacking group, also tracked as Evasive Panda and Bronze Highland, is using new iterations of Macma that include improved screen capture functionality and new logic to collect a file's system listing.

Symantec previously spotted Daggerfly attacking a "telecommunications organization" in Africa during 2023.

Threat intel researchers say they were able to link Macma with Daggerfly by identifying overlap with another known Daggerfly tool, the MgBot modular malware framework. Two variants of the Macma backdoor connected to a command-and-control server also used to drop MgBot. Both applications also contain code "from a single, shared library or framework."

The threat actors behind Daggerfly are also deploying a new Windows backdoor, dubbed Trojan, Suzafk or Nightdoor, first identified by Eset researchers earlier this year.

Suzafk, as Symantec tracks it, is a multistage backdoor capable of using either TCP or OneDrive for command-and-control communications. Its loader drops files such as Engine.dll and MeituUD.exe.MeituUD.exe is a legitimate application repurposed for malicious use, and Engine.dll sets up persistence through scheduled tasks and loads the final payload in memory.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.