Chinese hackers target Mac users with boosted Macma malware

China
(Image credit: Shutterstock)

Chinese cybercriminals known as Daggerfly (AKA Evasive Panda or Bronze Highland) have been observed targeting macOS users with an updated version of their proprietary malware

A report from Symantec claims the new variant was most likely introduced since older variants got too exposed.

The malware in question is called Macma. It is a macOS backdoor that was first observed in 2020, but it's still not known who built it. The researchers believe it had been used since at least 2019, mostly in watering hole attacks against compromised websites in Hong Kong. Being a modular backdoor, Macma’s key functionalities include device fingerprinting, executing commands, screen grabbing, keylogging, audio capture, and uploading/downloading files from the compromised systems.

Taiwanese and American targets

The discovery of recent Macma variants are testament of “ongoing development”, the researchers further explained, saying that they also observed a second version of Macma containing incremental updates to the existing functionality. 

Daggerfly was apparently using Macma against organizations in Taiwan and an American non-government organization in China.

In these attacks, it used more than just Macma. Symantec says they abused a vulnerability in an Apache HTTP server to also deploy their MgBot malware, a modular framework first observed back in 2008. In the past, MgBot was seen used in targeted attacks, mostly since it was exceptionally good at evading detection, while remaining persistent. 

The framework is designed to be highly adaptable, allowing operators to deploy various plugins and modules to perform different malicious activities depending on the target and objectives. These activities can include data theft, keylogging, capturing screenshots, and remote control of the infected system. 

Finally, Dggerfly used a Windows backdoor called Trojan.Suzafk, first documented by ESET in March this year (the researchers called it Nightdoor, or NetMM). Suzafk was developed using the same shared library used in Mgbot, Macma, and a number of other Daggerfly tools, Symantec added. Suzafk is a multi-staged backdoor capable of using TCP or OneDrive for C&C. 

Via BleepingComputer

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.