MacMa

Malware updated 25 days ago (2024-08-14T09:42:48.282Z)

Download STIX

Preview STIX

Macma is a malicious software (malware) first detailed by Google's Threat Analysis Group (TAG) in 2021, although it had been in use since at least 2019. Known as OSX.MacMa or simply Macma, this malware is a backdoor designed to exploit macOS systems, and has been frequently employed by the Evasive Panda group. The malware is modular in nature, supporting multiple functionalities such as device fingerprinting, executing commands, screen capture, keylogging, audio capture, and uploading and downloading files. It can infiltrate a system through suspicious downloads, emails, or websites, often without the user's knowledge. The China-linked Advanced Persistent Threat (APT) group has been observed using an updated version of the Macma backdoor. This new variant shows a convergence in the development of Macma and another piece of malware known as Gimmick. In their attack strategy, the adversaries manipulated DNS responses for domains related to software updates to deploy various malware families, including Macma and Pocostick (also known as MGBot). Consequently, when applications attempted to retrieve their updates, they unknowingly installed malware instead of the intended update. The attackers exploited the privilege escalation vulnerability CVE-2021-30869 to install Macma on macOS devices. Once inside, the malware could exfiltrate sensitive data from compromised networks. Notably, while Macma targets macOS systems, its counterpart Pocostick or MGBot is designed to work on Windows systems. The continuous evolution of these malware variants and their deployment strategies underscores the persistent threat posed by APT groups and the need for robust cybersecurity measures.

Description last updated: 2024-08-14T08:45:18.862Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Mgbot	4	MgBot is a malicious software (malware) used exclusively by the cyber threat group known as Evasive Panda. This malware, along with another custom-made Windows backdoor called Nightdoor, forms part of the group's toolkit for cyber attacks. These tools are typically delivered via malicious downloader

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Macos

Backdoor

Symantec

Dropper

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Evasive Panda	Unspecified	3	Evasive Panda, a threat actor group also known as Bronze Highland and Daggerfly, has been identified as a significant cybersecurity threat. This group, believed to be aligned with China, has been deploying custom implants such as MgBot, Nightdoor, and a macOS downloader component, using these tools
Daggerfly	Unspecified	3	DaggerFly, also known as Evasive Panda and Bronze Highland, is a Chinese-speaking Advanced Persistent Threat (APT) group that has been active since 2012. The group is known for its cyberespionage activities targeting individuals in mainland China, Hong Kong, Macao, and Nigeria. In addition to these
Bronze Highland	Unspecified	2	Bronze Highland, also known as Evasive Panda and Daggerfly, is a Chinese-speaking advanced persistent threat (APT) group that has been active since at least 2012. The group conducts cyberespionage against individuals in mainland China, Hong Kong, Macao, and Nigeria, along with specific organizations

Source Document References

Information about the MacMa Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a month ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
DARKReading	a month ago	China's Evasive Panda Attacks ISP to Send Malicious Software Updates
InfoSecurity-magazine	a month ago	APT Group StormBamboo Attacks ISP Customers Via DNS Poisoning
Securityaffairs	a month ago	Chinese StormBamboo APT compromised ISP to deliver malware
Securityaffairs	a month ago	security-affairs-malware-newsletter-round-5
Securityaffairs	a month ago	Chinese Daggerfly uses a new version of Macma macOS backdoor
DARKReading	a month ago	China's 'Evasive Panda' APT Spies on Taiwan Targets Across Platforms
InfoSecurity-magazine	a month ago	Chinese Espionage Group Upgrades Malware to Target All Major OS
BankInfoSecurity	2 months ago	Chinese Cyberespionage Group Expands Malware Arsenal
InfoSecurity-magazine	a year ago	Potent Trojans Targeting MacOS Users
MITRE	2 years ago	OSX.CDDS (OSX.MacMa)