The focus of these campaigns is on telecommunication companies, which are being targeted through the use of this spy tool.
It is believed that the MgBot framework is able to penetrate the networks of telecommunication companies and gain access to sensitive data, such as call records, text messages, and location data. This information can then be used for various purposes, including surveillance, monitoring, and potentially blackmail or other nefarious activities.
The emergence of the MgBot framework highlights the increasing sophistication of China’s spying capabilities and its willingness to employ them in pursuit of its strategic interests. It also underscores the need for heightened vigilance and security measures, particularly among telecommunication companies operating in Africa, to safeguard against potential cyber attacks and data breaches.
The Hackers Take Advantage of the Advanced Technology
Symantec has released a report stating that a group known as Daggerfly, suspected to be linked to China, has been engaged in cyber attacks on African telecommunications companies since November 2022. The group’s objective is to collect intelligence information.
The attack campaign, called Bronze Highland or Evasive Panda, utilizes plugins from a modular malware system called MgBot, which were previously undocumented. The attackers also took advantage of the PlugX bootloader and abused the legitimate remote desktop software AnyDesk for their malicious purposes.
Daggerfly employs a tactic called “Living off the Land” (LotL) during the attack process, which involves using BITSAdmin and PowerShell to deliver the next stage payload. This payload includes a genuine AnyDesk executable and a utility specifically designed to collect credentials.
The attacker then creates a local account and deploys the regularly updated MgBot framework, which includes various components such as an EXE-dropper, DLL-loader, and plug-ins. This enables the attacker to establish a persistent presence on the victim’s system.
Telecommunications companies have always been a prime target for spying campaigns due to the sensitive data they hold. Recent state-sponsored hacking groups have increasingly targeted these companies using sophisticated and persistent methods, such as the Daggerfly campaign in Africa, which used previously unknown malware frameworks and plugins to evade detection.
The potential impact of these espionage campaigns highlights the need for enhanced cybersecurity measures, such as advanced threat detection and response capabilities, employee training, and regular security assessments, to protect networks and sensitive data from evolving threats.