Symantec Threat Hunter details Daggerfly/MgBot activity targeting telecoms in Africa and Asia, highlighting a modular malware framework used for extensive information gathering. The campaign shows ongoing tool development, credential dumping, AD enumeration, and lateral movement with links to Othorene/Gallium and Operation Tainted Love. Hashtags: #MgBot #Daggerfly #Othorene #Gallium #OperationTaintedLove #telecoms
Keypoints
- MgBot is a modular malware framework with components: MgBot Dropper, MgBot DLL Loader, and MgBot Plugins.
- Unique plugins provide extensive information collection capabilities (e.g., network scanning, browser data harvesting, keylogging, screen/clipboard capture, and AD enumeration).
- Active AD discovery and credential dumping are highlighted, including dumps of SAM/System hives and password-related data.
- Attacker activity shows lateral movement, persistence via Scheduled Tasks, and potential domain controller access, suggesting deep network infiltration.
- Targeted telecoms firms are a consistent focus; activity tied to Othorene (Gallium) with possible links to APT41, and tied to a campaign observed since 2022 with overlaps to Operation Tainted Love.
- Symantec notes continued development of tools and new plugins by Daggerfly, reinforcing their information-gathering focus.
MITRE Techniques
- [T1046] Network Service Scanning – The network scanner plugin performed arp/HTTP scanning and server-type identification (‘…Capabilities include: arp scan, http scan, determining the type of server (e.g. SQL, WebLogic, Redis, etc.)’).
- [T1003] Credential Dumping – The main malware dumped credentials, including SAM and System hives from the registry, illustrating OS credential dumping (‘Dump SAM and System hives from the registry’).
- [T1053.005] Scheduled Task – The campaign used Scheduled Task for persistence (‘Scheduled Task for persistence’).
- [T1021] Remote Services / Lateral Movement – The actors moved laterally across victims’ networks (‘moved laterally across victims’ networks’).
- [T1056.001] Keylogging – QQ Keylogger targets QQEdit.exe and QQ.exe processes (‘Keylogger that targets QQEdit.exe and QQ.exe processes.’).
- [T1115] Clipboard Data – The screen/clipboard grabber captures clipboard and drag/drop data (‘Captures clipboard and drag and drop data and saves it to a file.’).
- [T1113] Screen Capture – Screen-related grabbing capability indicated by ‘Screen and clipboard grabber’ tooling, with associated data capture described above.
- [T1555.003] Credentials in Email Clients – Outlook and Foxmail credentials stealer (‘Outlook and Foxmail credentials stealer – maillfpassword.dll’).
Indicators of Compromise
- [File Hash] – MgBot Dropper and related components (example): c89316e87c5761e0fc50db1214beb32a08c73d2cad9df8c678c8e44ed66c1dab, 90e15eaf6385b41fcbf021ecbd8d86b8c31ba48c2c5c3d1edb8851896f4f72fe, and 2 more hashes.
- [File Hash] – MgBot – aasrvd.dll, pmsrvd.dll (example): 706c9030c2fa5eb758fa2113df3a7e79257808b3e79e46869d1bf279ed488c36, 017187a1b6d58c69d90d81055db031f1a7569a3b95743679b21e44ea82cfb6c7.
- [File Hash] – MgBot Plugins (example hashes): cb8aede4ad660adc1c78a513e7d5724cac8073bea9d6a77cf3b04b019395979a, 2dcf9e556332da2a17a44dfceda5e2421c88168aafea73e2811d65e9521c715c.
- [File Hash] – Othorene main components (example): 3f75818e2e43a744980254bfdc1225e7743689b378081c560e824a36e0e0a195 (pc.exe, rpc.exe); 1b8500e27edc87464b8e5786dc8c2beed9a8c6e58b82e50280cebb7f233bcde4 (get.exe); 03bc62bd9a681bdcb85db33a08b6f2b41f853de84aa237ae7216432a6f8f817e (pc.dll).
- [File Hash] – Additional Othorene indicators (example): ae39ced76c78e7c2043b813718e3cd610e1a8adac1f9ad5e69cf06bd6e38a5bd, f6f6152db941a03e1f45d52ab55a2e3d774015ccb8828533654e3f3161cfcd21.
- [File Name] – Main malware and related components: pc.exe, mim221, rpc.dll, getHashFlsa64.dll, and 20+ additional files listed in the Indicators section.