Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Chinese hackers target Mac users with boosted Macma malware

China.

Chinese cybercriminals known as Daggerfly (AKA Evasive Panda or Bronze Highland) have been observed targeting macOS users with an updated version of their proprietary malware

A report from Symantec claims the new variant was most likely introduced since older variants got too exposed.

The malware in question is called Macma. It is a macOS backdoor that was first observed in 2020, but it's still not known who built it. The researchers believe it had been used since at least 2019, mostly in watering hole attacks against compromised websites in Hong Kong. Being a modular backdoor, Macma’s key functionalities include device fingerprinting, executing commands, screen grabbing, keylogging, audio capture, and uploading/downloading files from the compromised systems.

Taiwanese and American targets

The discovery of recent Macma variants are testament of “ongoing development”, the researchers further explained, saying that they also observed a second version of Macma containing incremental updates to the existing functionality. 

Daggerfly was apparently using Macma against organizations in Taiwan and an American non-government organization in China.

In these attacks, it used more than just Macma. Symantec says they abused a vulnerability in an Apache HTTP server to also deploy their MgBot malware, a modular framework first observed back in 2008. In the past, MgBot was seen used in targeted attacks, mostly since it was exceptionally good at evading detection, while remaining persistent. 

The framework is designed to be highly adaptable, allowing operators to deploy various plugins and modules to perform different malicious activities depending on the target and objectives. These activities can include data theft, keylogging, capturing screenshots, and remote control of the infected system. 

Finally, Dggerfly used a Windows backdoor called Trojan.Suzafk, first documented by ESET in March this year (the researchers called it Nightdoor, or NetMM). Suzafk was developed using the same shared library used in Mgbot, Macma, and a number of other Daggerfly tools, Symantec added. Suzafk is a multi-staged backdoor capable of using TCP or OneDrive for C&C. 

Via BleepingComputer

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.