New MgBot Malware Framework Plugins Target African Telecommunications Company

The Daggerfly (also known as Evasive Panda or Bronze Highland) advanced persistent threat (APT) group has recently deployed previously unseen plugins from the MgBot malware framework in a new campaign targeting an African telecommunications organization. Researchers from Symantec’s Threat Hunter Team have discovered multiple unique plugins associated with the MgBot modular malware framework on the victim’s network. Daggerfly’s development of these new plugins indicates an ongoing effort to enhance its malware and the tools used to target victim networks.

Suspicious AnyDesk connections on a Microsoft Exchange mail server in November 2022 were among the initial signs of malicious activity on the targeted victim network. Attackers utilized living-off-the-land tools, BITSAdmin and PowerShell, to download files onto victim systems, including the legitimate AnyDesk executable and the GetCredManCreds tool.

The adversaries retrieved usernames and passwords of web services stored in the credential manager and dumped the SAM (Security Account Manager), System, and Security hives of the Windows registry using PowerShell and the reg.exe tool. Daggerfly also created a local account to maintain access to victim systems.

MgBot is an actively maintained, well-designed modular framework composed of an MgBot EXE dropper, MgBot DLL Loader, and MgBot Plugins. During this campaign, the attackers deployed several unique plugins with various capabilities, including network scanning, information stealing, logging, Active Directory enumeration, password dumping, keylogging, screen and clipboard grabbing, Outlook and Foxmail credentials stealing, and audio capture.

The main goal of the attackers during this campaign appears to be information-gathering, as the capabilities of these plugins allowed the collection of a significant amount of data from victim machines.

Telecoms companies are often key targets in intelligence-gathering campaigns due to their potential access to end-users’ communications. Symantec’s Threat Hunter team has also observed recent activity targeting telecoms companies linked with moderate confidence to the threat actor Othorene (also known as Gallium). This activity appears to be a continuation of an intelligence-gathering campaign first reported on by SentinelOne under the name Operation Tainted Love in March, which targeted telecoms companies in the Middle East.

In the observed activity, Symantec found three additional victims of the same campaign that SentinelOne detailed, located in Asia and Africa. The attackers had been active on victim networks since November 2022, dumping credentials and scanning the network using NbtScan. The main malware in this campaign was used to dump credentials, and the attackers moved laterally across victims’ networks, using Scheduled Task for persistence, and dumped SAM and System hives from the registry.

The deployment of previously unseen MgBot malware framework plugins in Daggerfly’s recent campaign demonstrates the group’s ongoing commitment to refining its capabilities. Organizations, particularly those in the telecommunications sector, must remain vigilant and up-to-date on the latest threats to protect their networks and customer data.