1. Home
  2. Software
  3. MgBot

MgBot

MgBot is a modular malware framework exclusively associated with Daggerfly operations since at least 2012. MgBot was developed in C++ and features a module design with multiple available plugins that have been under active development through 2024.[1][2][3]

ID: S1146
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 25 July 2024
Last Modified: 10 October 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

MgBot includes modules for identifying local administrator accounts on victim systems.[4]
.002 Account Discovery: Domain Account

MgBot includes modules for collecting information on Active Directory domain accounts.[4]
Enterprise T1123 Audio Capture

MgBot can capture input and output audio streams from infected devices.[2][4]
Enterprise T1115 Clipboard Data

MgBot can capture clipboard data.[2][4]
Enterprise T1555 Credentials from Password Stores

MgBot includes modules for stealing stored credentials from Outlook and Foxmail email client software.[2][4]
.003 Credentials from Web Browsers

MgBot includes modules for stealing credentials from various browsers and applications, including Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP.[2][4]
Enterprise T1213 Data from Information Repositories

MgBot includes a module capable of stealing content from the Tencent QQ database storing user QQ message history on infected devices.[2]
Enterprise T1005 Data from Local System

MgBot includes modules for collecting files from local systems based on a given set of properties and filenames.[2]
Enterprise T1025 Data from Removable Media

MgBot includes modules capable of gathering information from USB thumb drives and CD-ROMs on the victim machine given a list of provided criteria.[2]
Enterprise T1482 Domain Trust Discovery

MgBot includes modules for collecting information on local domain users and permissions.[4]
Enterprise T1056 .001 Input Capture: Keylogging

MgBot includes keylogger payloads focused on the QQ chat application.[2][4]
Enterprise T1046 Network Service Discovery

MgBot includes modules for performing HTTP and server service scans.[4]
Enterprise T1003 OS Credential Dumping

MgBot includes modules for dumping and capturing credentials from process memory.[4]
Enterprise T1057 Process Discovery

MgBot includes a module for establishing a process watchdog for itself, identifying if the MgBot process is still running.[4]
Enterprise T1018 Remote System Discovery

MgBot includes modules for performing ARP scans of local connected systems.[4]
Enterprise T1539 Steal Web Session Cookie

MgBot includes modules that can steal cookies from Firefox, Chrome, and Edge web browsers.[2]
Enterprise T1033 System Owner/User Discovery

MgBot includes modules for identifying local users and administrators on victim machines.[4]

Groups That Use This Software

ID Name References
G1034 Daggerfly

Daggerfly is uniquely associated with the use of MgBot since at least 2012.[2]

References

  1. Gabor Szappanos. (2014, February 3). Needle in a haystack. Retrieved July 25, 2024.
  2. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  1. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
  2. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.