Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Daggerfly
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Daggerfly
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Daggerfly

Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.(Citation: Symantec Daggerfly 2023)(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2024)(Citation: ESET EvasivePanda 2024)
ID: G1034
Associated Groups: BRONZE HIGHLAND, Evasive Panda
Version: 1.0
Created: 25 Jul 2024
Last Modified: 31 Oct 2024

Associated Group Descriptions
Name Description
BRONZE HIGHLAND (Citation: Symantec Daggerfly 2023)(Citation: ESET EvasivePanda 2024)
Evasive Panda (Citation: Symantec Daggerfly 2023)(Citation: ESET EvasivePanda 2024)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Daggerfly uses HTTP for command and control communication.(Citation: ESET EvasivePanda 2024)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Daggerfly used PowerShell to download and execute remote-hosted files on victim systems.(Citation: Symantec Daggerfly 2023)
Enterprise T1584 .004 Compromise Infrastructure: Server

Daggerfly compromised web servers hosting updates for software as part of a supply chain intrusion.(Citation: ESET EvasivePanda 2024)
Enterprise T1136 .001 Create Account: Local Account

Daggerfly created a local account on victim machines to maintain access.(Citation: Symantec Daggerfly 2023)
Enterprise T1587 .002 Develop Capabilities: Code Signing Certificates

Daggerfly created code signing certificates to sign malicious macOS files.(Citation: ESET EvasivePanda 2024)
Enterprise T1574 .001 Hijack Execution Flow: DLL

Daggerfly has used legitimate software to side-load PlugX loaders onto victim systems.(Citation: Symantec Daggerfly 2023) Daggerfly is also linked to multiple other instances of side-loading for initial loading activity.(Citation: ESET EvasivePanda 2024)
Enterprise T1036 .003 Masquerading: Rename Legitimate Utilities

Daggerfly used a renamed version of rundll32.exe, such as "dbengin.exe" located in the `ProgramData\Microsoft\PlayReady` directory, to proxy malicious DLL execution.(Citation: Symantec Daggerfly 2023)
Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Daggerfly used Reg to dump the Security Account Manager (SAM) hive from victim machines for follow-on credential extraction.(Citation: Symantec Daggerfly 2023)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Daggerfly has attempted to use scheduled tasks for persistence in victim environments.(Citation: ESET EvasivePanda 2024)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Daggerfly has used signed, but not notarized, malicious files for execution in macOS environments.(Citation: ESET EvasivePanda 2024)
Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Daggerfly is associated with several supply chain compromises using malicious updates to compromise victims.(Citation: ESET EvasivePanda 2023)(Citation: ESET EvasivePanda 2024)
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Daggerfly proxied execution of malicious DLLs through a renamed rundll32.exe binary.(Citation: Symantec Daggerfly 2023)
Enterprise T1204 .001 User Execution: Malicious Link

Daggerfly has used strategic website compromise to deliver a malicious link requiring user interaction.(Citation: ESET EvasivePanda 2024)

Software
ID Name References Techniques
S1147 Nightdoor (Citation: ESET EvasivePanda 2024) (Citation: Symantec Daggerfly 2024) Scheduled Task, System Owner/User Discovery, System Checks, System Information Discovery, Application Layer Protocol, Deobfuscate/Decode Files or Information, System Network Configuration Discovery, Web Service, Process Discovery, Hijack Execution Flow, Windows Command Shell, File Deletion, System Time Discovery
S0190 BITSAdmin (Citation: Microsoft BITSAdmin) (Citation: Symantec Daggerfly 2023) Lateral Tool Transfer, BITS Jobs, Ingress Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol
S0013 PlugX (Citation: CIRCL PlugX March 2013) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Sogu) (Citation: Symantec Daggerfly 2023) (Citation: TVT) (Citation: Thoper) Screen Capture, Keylogging, DNS, Match Legitimate Resource Name or Location, Symmetric Cryptography, Windows Service, System Checks, DLL, Network Share Discovery, Native API, Deobfuscate/Decode Files or Information, Disable or Modify System Firewall, Modify Registry, File and Directory Discovery, Masquerade Task or Service, System Network Connections Discovery, Process Discovery, Multiband Communication, Registry Run Keys / Startup Folder, Non-Standard Port, Obfuscated Files or Information, Non-Application Layer Protocol, Query Registry, MSBuild, Windows Command Shell, Web Protocols, DLL Side-Loading, Ingress Tool Transfer, Hidden Files and Directories, Custom Command and Control Protocol, Dead Drop Resolver, Commonly Used Port
S1146 MgBot (Citation: ESET EvasivePanda 2023) (Citation: Symantec Daggerfly 2024) (Citation: Szappanos MgBot 2014) System Owner/User Discovery, Keylogging, OS Credential Dumping, Audio Capture, Steal Web Session Cookie, Data from Removable Media, Domain Account, Local Account, Clipboard Data, Data from Local System, Credentials from Password Stores, Credentials from Web Browsers, Domain Trust Discovery, Process Discovery, Data from Information Repositories, Remote System Discovery, Network Service Discovery
S1016 MacMa (Citation: DazzleSpy) (Citation: ESET DazzleSpy Jan 2022) (Citation: OSX.CDDS) (Citation: Objective-See MacMa Nov 2021) (Citation: Symantec Daggerfly 2024) Screen Capture, System Owner/User Discovery, Keylogging, Audio Capture, Local Data Staging, Keychain, Clear Linux or Mac System Logs, Gatekeeper Bypass, Code Signing, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Timestomp, Remote Services, System Network Configuration Discovery, File and Directory Discovery, Process Discovery, Exfiltration Over C2 Channel, Unix Shell, Non-Standard Port, Encrypted Channel, Non-Application Layer Protocol, Launch Agent, File Deletion, Ingress Tool Transfer
S0075 Reg (Citation: Microsoft Reg) (Citation: Symantec Daggerfly 2023) (Citation: Windows Commands JPCERT) Credentials in Registry, Modify Registry, Query Registry

References

  1. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
  2. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  3. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  4. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.