Categories: Cyber AttackMalware

Chinese Hackers Using Shared Framework To Create Multi-Platform Malware

Shared frameworks are often prone to hackers’ abuses as they have been built into various applications, which offer a range of systems that can be exploited at the same time.

By attacking shared framework vulnerabilities, hackers can get into many apps and information stores, which escalates their malicious acts in terms of efficiency and scale.

Cybersecurity researchers at Symantec recently discovered that Chinese hackers have been actively abusing the Shared Framework to create Windows, Linux, macOS, and Android malware.

Chinese Hackers Using Multi-Platform Malware

The malware toolkit of the Daggerfly espionage group has been refreshed by adding new versions of already known threats and a previously unattributed macOS backdoor.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

The latest attacks against the targets in Taiwan and a US NGO in China are examples of how the group’s tactics have evolved, including the exploitation of an Apache HTTP Server vulnerability.

This development shows that Daggerfly continues to evolve and remains involved in international and domestic spying operations, extending its decade-long history in the cyber field.

Macma is a macOS backdoor that was first documented in 2021. It has been active since 2019 and is continuously developing.

Watering hole attacks in Hong Kong were the initial distribution channels through which it exploited loopholes to install itself into macOS devices.

According to a recent Symantec analysis of different Macma variations, its functions change meaningfully with time, consequently comprising newly updated modules, improved file paths, heightened logging, and other features such as better screen-capture capabilities.

These ongoing developments depict a relentless threat by the Macma backdoor, which has a proven ability of targeting macOS systems.

New evidence links the Macma macOS backdoor to the Daggerfly threat group. Symantec discovered shared command-and-control infrastructure between Macma variants and a MgBot dropper. 

While Macma and other known Daggerfly malware share code from a common library, which provides functionality across multiple platforms. 

This shared codebase and infrastructure strongly suggest that Macma is part of the Daggerfly toolkit, marking a significant development in attributing this previously unaffiliated backdoor to a specific advanced persistent threat group.

Daggerfly’s toolkit now includes a sophisticated Windows backdoor called Suzafk (aka Nightdoor or NetMM). 

This multi-staged malware uses TCP or OneDrive for command and control, employs anti-analysis techniques, and shares code with other Daggerfly tools. 

Suzafk’s capabilities include remote command execution, persistence via scheduled tasks, and encrypted configuration storage. 

This addition, along with evidence of malware targeting various operating systems, including Android and Solaris, demonstrates Daggerfly’s advanced capabilities and adaptability in conducting espionage activities across multiple platforms.

IoCs

IoCs (Source – Symantec)

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

7 hours ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

8 hours ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

10 hours ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

1 day ago

New Windows Downgrade Attack Let Hackers Downgrade Patched Systems To Exploits

The researcher discovered a vulnerability in the Windows Update process that allowed them to downgrade…

1 day ago

Hackers Use Fog Ransomware To Attack SonicWall VPNs And Breach Corporate Networks

Recent cyberattacks involving Akira and Fog threat actors have targeted various industries, exploiting a vulnerability…

1 day ago