Telecommunication services providers in Africa are the target of a new campaign orchestrated by a China-linked threat actor at least since November 2022.
The intrusions have been pinned on a hacking crew tracked by Symantec as Daggerfly, and which is also tracked by the broader cybersecurity community as Bronze Highland and Evasive Panda.
The campaign makes use of “previously unseen plugins from the MgBot malware framework,” the cybersecurity company said in a report shared with The Hacker News. “The attackers were also seen using a PlugX loader and abusing the legitimate AnyDesk remote desktop software.”
Daggerfly’s use of the MgBot loader (aka BLame or MgmBot) was spotlighted by Malwarebytes in July 2020 as part of phishing attacks aimed at Indian government personnel and individuals in Hong Kong.
According to a profile published by Secureworks, the threat actor uses spear-phishing as an initial infection vector to drop MgBot as well as other tools like Cobalt Strike, a legitimate adversary simulation software, and an Android-based remote access trojan (RAT) named KsRemote.
The group is suspected to conduct espionage activities against domestic human rights and pro-democracy advocates and nations neighboring China as far back as 2014.
Attack chains analyzed by Symantec show the use of living-off-the-land (LotL) tools like BITSAdmin and PowerShell to deliver next-stage payloads, including a legitimate AnyDesk executable and a credential harvesting utility.
The threat actor subsequently moves to set up persistence on the victim system by creating a local account and deploys the MgBot modular framework, which comes with a wide range of plugins to harvest browser data, log keystrokes, capture screenshots, record audio, and enumerate the Active Directory service.
Defend with Deception: Advancing Zero Trust Security
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!
Save My Seat!
“All of these capabilities would have allowed the attackers to collect a significant amount of information from victim machines,” Symantec said. “The capabilities of these plugins also show that the main goal of the attackers during this campaign was information-gathering.”
The all-encompassing nature of MgBot indicates that it’s actively maintained and updated by the operators to obtain access to victim environments.
The disclosure arrives almost a month after SentinelOne detailed a campaign called Tainted Love in Q1 2023 aimed at telecommunication providers in the Middle East. It was attributed to a Chinese cyberespionage group that shares overlaps with Gallium (aka Othorene).
Symantec further said it identified three additional victims of the same activity cluster that are located in Asia and Africa. Two of the victims, which were breached in November 2022, are subsidiaries of a telecom firm in the Middle East region.
“Telecoms companies will always be a key target in intelligence gathering campaigns due to the access they can potentially provide to the communications of end-users,” Symantec said.