A cyber espionage group, Daggerfly that is associated with the names, Bronze Highland and Evasive Panda has recently targeted organizations in Taiwan and a based NGO in the US, but working in China. This group has been in operation at least from 2012 and had used of such advanced malware weapon such as MgBot and MACMA.
In their latest operation, Daggerfly targeted Apache HTTP servers with a weakness to deploy the MgBot malware which is a complex tool with the functionalities of retrieving keystrokes, copying the clipboard, and receiving commands remotely. This malware along with MACMA, another malware which was previously known as MaaS malware associated with attack on Hong Kong users, has now been connected to this group showing an improved capacity of the group.
Some of the attackers employed software updates as their disguise, which included those from the well-known communication software Tencent QQ, and the means were rather credible. This is presumed to be a part of an elaborate plan to establish a foothold in these target organizations in order to exfiltrate classified information with a permanent access over a long time, spanning the governmental, academic and industrial domains and the critical infrastructure.
Despite official Chinese statements that it does not run cyber espionage, the facts suggest that these attacks are planned and coordinated. The threats from state-affiliated cyber actors also remain high because of their continued employment of sophisticated tactics like using new software updates as entry points, and using vulnerabilities in the existing systems. This situation underlines how crucial it is to strengthen the organizations’ protections against such constantly present and developing threats.