1. Home
  2. Software
  3. MgBot

MgBot

MgBot is a modular malware framework exclusively associated with Daggerfly operations since at least 2012. MgBot was developed in C++ and features a module design with multiple available plugins that have been under active development through 2024.[1][2][3]

ID: S1146
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 25 July 2024
Last Modified: 10 October 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1213 从信息存储库获取数据

MgBot includes a module capable of stealing content from the Tencent QQ database storing user QQ message history on infected devices.[2]
Enterprise T1025 从可移动介质获取数据

MgBot includes modules capable of gathering information from USB thumb drives and CD-ROMs on the victim machine given a list of provided criteria.[2]
Enterprise T1555 从密码存储中获取凭证

MgBot includes modules for stealing stored credentials from Outlook and Foxmail email client software.[2][4]
.003 Credentials from Web Browsers

MgBot includes modules for stealing credentials from various browsers and applications, including Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP.[2][4]
Enterprise T1005 从本地系统获取数据

MgBot includes modules for collecting files from local systems based on a given set of properties and filenames.[2]
Enterprise T1115 剪贴板数据

MgBot can capture clipboard data.[2][4]
Enterprise T1482 域信任发现

MgBot includes modules for collecting information on local domain users and permissions.[4]
Enterprise T1003 操作系统凭证转储

MgBot includes modules for dumping and capturing credentials from process memory.[4]
Enterprise T1539 窃取Web会话Cookie

MgBot includes modules that can steal cookies from Firefox, Chrome, and Edge web browsers.[2]
Enterprise T1033 系统所有者/用户发现

MgBot includes modules for identifying local users and administrators on victim machines.[4]
Enterprise T1046 网络服务发现

MgBot includes modules for performing HTTP and server service scans.[4]
Enterprise T1087 .001 账号发现: Local Account

MgBot includes modules for identifying local administrator accounts on victim systems.[4]
.002 账号发现: Domain Account

MgBot includes modules for collecting information on Active Directory domain accounts.[4]
Enterprise T1056 .001 输入捕获: Keylogging

MgBot includes keylogger payloads focused on the QQ chat application.[2][4]
Enterprise T1057 进程发现

MgBot includes a module for establishing a process watchdog for itself, identifying if the MgBot process is still running.[4]
Enterprise T1018 远程系统发现

MgBot includes modules for performing ARP scans of local connected systems.[4]
Enterprise T1123 音频捕获

MgBot can capture input and output audio streams from infected devices.[2][4]

Groups That Use This Software

ID Name References
G1034 Daggerfly

Daggerfly is uniquely associated with the use of MgBot since at least 2012.[2]

References

  1. Gabor Szappanos. (2014, February 3). Needle in a haystack. Retrieved July 25, 2024.
  2. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  1. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
  2. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.