S1146 MgBot
MgBot is a modular malware framework exclusively associated with Daggerfly operations since at least 2012. MgBot was developed in C++ and features a module design with multiple available plugins that have been under active development through 2024.213
| Item | Value |
|---|---|
| ID | S1146 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 25 July 2024 |
| Last Modified | 10 October 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | MgBot includes modules for identifying local administrator accounts on victim systems.4 |
| enterprise | T1087.002 | Domain Account | MgBot includes modules for collecting information on Active Directory domain accounts.4 |
| enterprise | T1123 | Audio Capture | MgBot can capture input and output audio streams from infected devices.14 |
| enterprise | T1115 | Clipboard Data | MgBot can capture clipboard data.14 |
| enterprise | T1555 | Credentials from Password Stores | MgBot includes modules for stealing stored credentials from Outlook and Foxmail email client software.14 |
| enterprise | T1555.003 | Credentials from Web Browsers | MgBot includes modules for stealing credentials from various browsers and applications, including Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP.14 |
| enterprise | T1213 | Data from Information Repositories | - |
| enterprise | T1213.006 | Databases | MgBot includes a module capable of stealing content from the Tencent QQ database storing user QQ message history on infected devices.1 |
| enterprise | T1005 | Data from Local System | MgBot includes modules for collecting files from local systems based on a given set of properties and filenames.1 |
| enterprise | T1025 | Data from Removable Media | MgBot includes modules capable of gathering information from USB thumb drives and CD-ROMs on the victim machine given a list of provided criteria.1 |
| enterprise | T1482 | Domain Trust Discovery | MgBot includes modules for collecting information on local domain users and permissions.4 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | MgBot includes keylogger payloads focused on the QQ chat application.14 |
| enterprise | T1046 | Network Service Discovery | MgBot includes modules for performing HTTP and server service scans.4 |
| enterprise | T1003 | OS Credential Dumping | MgBot includes modules for dumping and capturing credentials from process memory.4 |
| enterprise | T1057 | Process Discovery | MgBot includes a module for establishing a process watchdog for itself, identifying if the MgBot process is still running.4 |
| enterprise | T1018 | Remote System Discovery | MgBot includes modules for performing ARP scans of local connected systems.4 |
| enterprise | T1539 | Steal Web Session Cookie | MgBot includes modules that can steal cookies from Firefox, Chrome, and Edge web browsers.1 |
| enterprise | T1033 | System Owner/User Discovery | MgBot includes modules for identifying local users and administrators on victim machines.4 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1034 | Daggerfly | Daggerfly is uniquely associated with the use of MgBot since at least 2012.1 |
References
-
Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024. ↩↩↩↩↩↩↩↩↩↩↩
-
Gabor Szappanos. (2014, February 3). Needle in a haystack. Retrieved July 25, 2024. ↩
-
Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024. ↩
-
Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩