MacMa

Malware updated 19 days ago (2024-11-29T13:40:03.665Z)

Download STIX

Preview STIX

Macma is a malware, first detailed by Google in 2021, that has been used since at least 2019. It is a modular backdoor that supports multiple functionalities such as device fingerprinting, executing commands, screen capture, keylogging, audio capture, and uploading and downloading files. Macma, often used by Evasive Panda, is a macOS backdoor malware while POCOSTICK (aka MGBot) works on Windows systems. The malware infects systems via suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. The China-linked APT group exploited the privilege escalation vulnerability CVE-2021-30869 to install Macma on macOS devices. The attackers altered DNS responses for domains related to software updates to deploy multiple malware families, including Macma and POCOSTICK. Instead of installing the intended updates, these applications would install malware when they went to retrieve their updates. This strategy allowed the malware to enter systems often without the user's knowledge. The latest variant of Macma demonstrates the group converging development of both Macma and another malware known as Gimmick, according to Volexity. The attacks delivered new variants of the Macma backdoor, as well as post-exploitation malware to exfiltrate sensitive data from compromised networks. This highlights the evolving nature of cyber threats and the need for continuous vigilance and robust cybersecurity measures.

Description last updated: 2024-09-26T19:16:23.895Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Mgbot is a possible alias for MacMa. MgBot is a malicious software (malware) discovered by ESET, designed to exploit and damage computer systems. It can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it's capable of stealing personal information, disrupting operations, and	4
Pocostick is a possible alias for MacMa. Pocostick, also known as MGBot, is a type of malware that exploits and damages computer systems. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even h	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Macos

Backdoor

Symantec

Dropper

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Evasive Panda Threat Actor is associated with MacMa. Evasive Panda, also known as StormBamboo, Daggerfly, or Bronze Highland, is a threat actor group linked to China that has been operating since at least 2012. The group primarily focuses on cyber espionage against civil society targets and has demonstrated significant technical capabilities. They hav	Unspecified	3
The Daggerfly Threat Actor is associated with MacMa. DaggerFly, also known as Evasive Panda and StormBamboo, is a Chinese-speaking Advanced Persistent Threat (APT) group that has been active since at least 2012. The group is recognized for its cyber espionage activities against individuals and organizations in mainland China, Hong Kong, Macao, Nigeria	Unspecified	3
The Bronze Highland Threat Actor is associated with MacMa. Bronze Highland, also known as Evasive Panda and Daggerfly, is a China-linked Advanced Persistent Threat (APT) group that has been active since at least 2012. The group primarily conducts cyber espionage against individuals in mainland China, Hong Kong, Macao, and Nigeria, as well as certain organiz	Unspecified	2

Source Document References

Information about the MacMa Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	3 months ago	China-linked APT group Salt Typhoon compromised some US ISPs
Securityaffairs	4 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
DARKReading	4 months ago	China's Evasive Panda Attacks ISP to Send Malicious Software Updates
InfoSecurity-magazine	4 months ago	APT Group StormBamboo Attacks ISP Customers Via DNS Poisoning
Securityaffairs	4 months ago	Chinese StormBamboo APT compromised ISP to deliver malware
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
Securityaffairs	5 months ago	Chinese Daggerfly uses a new version of Macma macOS backdoor
DARKReading	5 months ago	China's 'Evasive Panda' APT Spies on Taiwan Targets Across Platforms
InfoSecurity-magazine	5 months ago	Chinese Espionage Group Upgrades Malware to Target All Major OS
BankInfoSecurity	5 months ago	Chinese Cyberespionage Group Expands Malware Arsenal
InfoSecurity-magazine	a year ago	Potent Trojans Targeting MacOS Users
MITRE	2 years ago	OSX.CDDS (OSX.MacMa)