Symantec reports a Daggerfly intrusion against an African telecom operator involving new MgBot-related plugins and a heavily updated Macma macOS backdoor. The campaign expands C2 options to TCP or cloud-based OneDrive, introduces multi-stage tools (including Suzafk) and cross-platform capabilities, and shows ongoing development across Mac, Linux, and other targets.
#Macma #Nightdoor #NetMM #Suzafk #Daggerfly #MgBot #OneDrive #C2 #Android #Solaris #Linux
#Macma #Nightdoor #NetMM #Suzafk #Daggerfly #MgBot #OneDrive #C2 #Android #Solaris #Linux
Keypoints
- Daggerfly has updated its toolset, including a heavily revised Macma macOS backdoor with new modules, configuration data, and extended capabilities.
- Macma variants introduce updated modules, file paths, debug logging, and new features such as system discovery, audio/video capture, and screen capture.
- Suzafk is a multi-staged backdoor that can use TCP or OneDrive for command-and-control, with configurations showing cloud-based and local C2 options.
- The loader Engine.dll and MeitUD.exe play roles in persistence (via scheduled tasks) and loading final payloads in memory.
- Daggerfly is increasingly multi-platform, with evidence of Android APK trojanizing, DNS interception, and even Solaris-targeted malware, indicating rapid adaptation to exposure.
- The group has connections to previously seen components and libraries (Nightdoor/NetMM) and uses shared code with Mgbot, Macma, Suzafk, and others.
- Symantec provides protection guidance via its Protection Bulletin; indicators of compromise include specific MACMA/MgBot/Suzafk hashes, IPs, and OneDrive/TCP C2 configurations.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – “creates a cmd.exe shell to send and receive commands from the C&C server (103.96.131.150) via open pipes.”
- [T1053] Scheduled Task – “loader (Engine.dll and MeitUD.exe) … sets persistence via scheduled tasks”
- [T1027] Obfuscated/Compressed Files and Information – “network configuration data … XOR encrypted with the key 0x7A.”
- [T1005] Data from Local System – “New logic to collect a file’s system listing, with the new code based on Tree, a publicly available Linux/Unix utility.”
- [T1016] System Network Configuration Discovery – “stores additional network configuration data under the C:ProgramDataOfficesysmgr file XOR encrypted with the key 0x7A.”
- [T1113] Screen Capture – “Screen capture” as part of Macma functionality.
- [T1123] Audio Capture – “Audio capture” functionality in Macma.
- [T1056.001] Keylogging – “Keylogging.”
- [T1105] Ingress Tool Transfer – “Uploading and downloading files.”
- [T1102] Web Service – “capable of using TCP or OneDrive for C&C.”
Indicators of Compromise
- [SHA256] Macma main module – 003764fd74bf13cff9bf1ddd870cbf593b23e2b584ba4465114023870ea6fbef, 1f5e4d2f71478518fe76b0efbb75609d3fb6cab06d1b021d6aa30db424f84a5e, and 2 more hashes
- [SHA256] Macma component user agent – 570cd76bf49cf52e0cb347a68bdcf0590b2eaece134e1b1eba7e8d66261bdbe6, fce66c26deff6a5b7320842bc5fa8fe12db991efe6e3edc9c63ffaa3cc5b8ced
- [SHA256] Suzafk dropper – 5687b32cdd5c4d1b3e928ee0792f6ec43817883721f9b86ec8066c5ec2791595, 49079ea789e75736f8f8fad804da4a99db52cbaca21e1d2b6d6e1ea4db56faad
- [SHA256] Suzafk DLL – 49079ea789e75736f8f8fad804da4a99db52cbaca21e1d2b6d6e1ea4db56faad
- [SHA256] Linux malware with Daggerfly library – 4c3b9a568d8911a2a256fdc2ebe9ff5911a6b2b63c7784da08a4daf692e93c1a, ef9aebcd9022080189af8aa2fb0b6594c3dfdc862340f79c17fb248e51fc9929
- [IP] Macma and MgBot C2 server – 103.243.212.98
- [IP] Suzafk C2 server – 103.96.131.150
- [IP] MgBot C2 server – 103.96.128.44
- [URL] Suzafk download URLs – http://103.96.131.150:19876/30_1410402971.exe, http://103.96.131.150:19876/30_1292836936.exe
- [File] com.USAgent.mv.plist – Macma component
- [File] Engine.dll – loader DLL
- [File] MeitUD.exe – MeituUD.exe related to Daemon Tools Helper