Chinese Hackers Using Shared Framework To Create Multi-Platform Malware

Shared frameworks are often prone to hackers’ abuses as they have been built into various applications, which offer a range of systems that can be exploited at the same time.

By attacking shared framework vulnerabilities, hackers can get into many apps and information stores, which escalates their malicious acts in terms of efficiency and scale.

Cybersecurity researchers at Symantec recently discovered that Chinese hackers have been actively abusing the Shared Framework to create Windows, Linux, macOS, and Android malware.

Chinese Hackers Using Multi-Platform Malware

The malware toolkit of the Daggerfly espionage group has been refreshed by adding new versions of already known threats and a previously unattributed macOS backdoor.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

The latest attacks against the targets in Taiwan and a US NGO in China are examples of how the group’s tactics have evolved, including the exploitation of an Apache HTTP Server vulnerability.

This development shows that Daggerfly continues to evolve and remains involved in international and domestic spying operations, extending its decade-long history in the cyber field.

Macma is a macOS backdoor that was first documented in 2021. It has been active since 2019 and is continuously developing.

Watering hole attacks in Hong Kong were the initial distribution channels through which it exploited loopholes to install itself into macOS devices.

According to a recent Symantec analysis of different Macma variations, its functions change meaningfully with time, consequently comprising newly updated modules, improved file paths, heightened logging, and other features such as better screen-capture capabilities.

These ongoing developments depict a relentless threat by the Macma backdoor, which has a proven ability of targeting macOS systems.

New evidence links the Macma macOS backdoor to the Daggerfly threat group. Symantec discovered shared command-and-control infrastructure between Macma variants and a MgBot dropper. 

While Macma and other known Daggerfly malware share code from a common library, which provides functionality across multiple platforms. 

This shared codebase and infrastructure strongly suggest that Macma is part of the Daggerfly toolkit, marking a significant development in attributing this previously unaffiliated backdoor to a specific advanced persistent threat group.

Daggerfly’s toolkit now includes a sophisticated Windows backdoor called Suzafk (aka Nightdoor or NetMM). 

This multi-staged malware uses TCP or OneDrive for command and control, employs anti-analysis techniques, and shares code with other Daggerfly tools. 

Suzafk’s capabilities include remote command execution, persistence via scheduled tasks, and encrypted configuration storage. 

This addition, along with evidence of malware targeting various operating systems, including Android and Solaris, demonstrates Daggerfly’s advanced capabilities and adaptability in conducting espionage activities across multiple platforms.

IoCs

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo