Chinese cybercriminals known as Daggerfly (also known as Evasive Panda or Bronze Highland) have been identified as targeting macOS users with an updated version of their own malware.
According to a report from Symantec, the new variant was most likely introduced because older variants were too vulnerable.
The malware in question is called Macma. It is a macOS backdoor that was first observed in 2020, but it is still unknown who built it. The researchers believe that it has been in use since at least 2019, mainly in watering hole attacks on compromised websites in Hong Kong. Since it is a modular backdoor, Macma’s main functionalities include device fingerprinting, command execution, screenshotting, keylogging, audio recording, and uploading/downloading files from the compromised systems.
Taiwanese and American targets
The discovery of recent Macma variants is evidence of “continuous development,” the researchers further explained. They said they also observed a second version of Macma with incremental updates to existing functionality.
Daggerfly apparently used Macma against organizations in Taiwan and an American non-governmental organization in China.
These attacks used more than just Macma. Symantec says they exploited a vulnerability in an Apache HTTP server to also deploy their MgBot malware, a modular framework first seen in 2008. MgBot has been used in targeted attacks in the past, largely because it was exceptionally good at evading detection while remaining persistent.
The framework is designed to be highly customizable, allowing operators to implement various plugins and modules to perform different malicious activities depending on the target and objectives. These activities can include data theft, keylogging, taking screenshots, and remote control of the infected system.
Finally, Daggerfly used a Windows backdoor called Trojan.Suzafk, first documented by ESET in March this year (the researchers called it Nightdoor, or NetMM). Suzafk was developed using the same shared library used in Mgbot, Macma and a number of other Daggerfly tools, Symantec added. Suzafk is a multi-staged backdoor that can use TCP or OneDrive for C&C.
Through BleepingComputer