MgBot

MgBot is a modular malware framework exclusively associated with Daggerfly operations since at least 2012. MgBot was developed in C++ and features a module design with multiple available plugins that have been under active development through 2024.[1][2][3]

ID: S1146
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 25 July 2024
Last Modified: 10 October 2024

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

MgBot includes modules for identifying local administrator accounts on victim systems.[4]

.002 Account Discovery: Domain Account

MgBot includes modules for collecting information on Active Directory domain accounts.[4]

Enterprise T1123 Audio Capture

MgBot can capture input and output audio streams from infected devices.[2][4]

Enterprise T1115 Clipboard Data

MgBot can capture clipboard data.[2][4]

Enterprise T1555 Credentials from Password Stores

MgBot includes modules for stealing stored credentials from Outlook and Foxmail email client software.[2][4]

.003 Credentials from Web Browsers

MgBot includes modules for stealing credentials from various browsers and applications, including Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP.[2][4]

Enterprise T1213 Data from Information Repositories

MgBot includes a module capable of stealing content from the Tencent QQ database storing user QQ message history on infected devices.[2]

Enterprise T1005 Data from Local System

MgBot includes modules for collecting files from local systems based on a given set of properties and filenames.[2]

Enterprise T1025 Data from Removable Media

MgBot includes modules capable of gathering information from USB thumb drives and CD-ROMs on the victim machine given a list of provided criteria.[2]

Enterprise T1482 Domain Trust Discovery

MgBot includes modules for collecting information on local domain users and permissions.[4]

Enterprise T1056 .001 Input Capture: Keylogging

MgBot includes keylogger payloads focused on the QQ chat application.[2][4]

Enterprise T1046 Network Service Discovery

MgBot includes modules for performing HTTP and server service scans.[4]

Enterprise T1003 OS Credential Dumping

MgBot includes modules for dumping and capturing credentials from process memory.[4]

Enterprise T1057 Process Discovery

MgBot includes a module for establishing a process watchdog for itself, identifying if the MgBot process is still running.[4]

Enterprise T1018 Remote System Discovery

MgBot includes modules for performing ARP scans of local connected systems.[4]

Enterprise T1539 Steal Web Session Cookie

MgBot includes modules that can steal cookies from Firefox, Chrome, and Edge web browsers.[2]

Enterprise T1033 System Owner/User Discovery

MgBot includes modules for identifying local users and administrators on victim machines.[4]

Groups That Use This Software

ID Name References
G1034 Daggerfly

Daggerfly is uniquely associated with the use of MgBot since at least 2012.[2]

References