A China-linked threat actor, identified as Daggerfly by Symantec, has been targeting African telecommunication service providers at least since November 2022. The hacking group uses spear-phishing as an initial infection vector and deploys the MgBot modular framework to obtain access to victim environments and gather sensitive information.
Symantec disclosed that the campaign uses “previously unseen plugins from the MgBot malware framework,” and that attackers abuse the legitimate AnyDesk remote desktop software to deliver payloads. MgBot, a multifunctional malware, enables attackers to harvest browser data, log keystrokes, capture screenshots, record audio, and enumerate the Active Directory service.
According to Secureworks, Daggerfly has been suspected of conducting espionage activities since 2014, targeting domestic human rights and pro-democracy advocates and neighboring countries of China. The all-encompassing nature of MgBot suggests that the malware is actively maintained and updated by the operators.
Symantec revealed that it identified three additional victims of the same activity cluster located in Asia and Africa. Two of the victims, which were breached in November 2022, are subsidiaries of a Middle Eastern telecom firm. The access to telecommunications companies provides threat actors with a way to gather sensitive information on the end-users’ communications.
The revelation of this campaign comes a month after SentinelOne detailed Tainted Love, a campaign aimed at telecommunication providers in the Middle East, attributed to a Chinese cyberespionage group that shares overlaps with Gallium (aka Othorene).
Both campaigns highlight that Chinese threat actors are increasingly targeting telecommunication service providers in the Middle East and Africa to obtain access to sensitive data. Symantec has not disclosed which African countries are affected by Daggerfly’s campaign or the scope of the data stolen, but the attack demonstrates the continued targeting of telecommunications companies by threat actors.
