Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

MacMa

MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.(Citation: ESET DazzleSpy Jan 2022) MacMa shares command and control and unique libraries with MgBot and Nightdoor, indicating a relationship with the Daggerfly threat actor.(Citation: Symantec Daggerfly 2024)
ID: S1016
Associated Software: DazzleSpy OSX.CDDS
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 06 May 2022
Last Modified: 26 Jul 2024

Associated Software Descriptions

Name Description
DazzleSpy (Citation: ESET DazzleSpy Jan 2022)
OSX.CDDS (Citation: Objective-See MacMa Nov 2021)

Techniques Used

Domain ID Name Use
Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

MacMa can execute supplied shell commands and uses bash scripts to perform additional actions.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)

Enterprise T1543 .001 Create or Modify System Process: Launch Agent

MacMa installs a `com.apple.softwareupdate.plist` file in the `/LaunchAgents` folder with the `RunAtLoad` value set to `true`. Upon user login, MacMa is executed from `/var/root/.local/softwareupdate` with root privileges. Some variations also include the `LimitLoadToSessionType` key with the value `Aqua`, ensuring the MacMa only runs when there is a logged in GUI user.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)

Enterprise T1555 .001 Credentials from Password Stores: Keychain

MacMa can dump credentials from the macOS keychain.(Citation: ESET DazzleSpy Jan 2022)

Enterprise T1074 .001 Data Staged: Local Data Staging

MacMa has stored collected files locally before exfiltration.(Citation: Objective-See MacMa Nov 2021)

Enterprise T1070 .002 Indicator Removal: Clear Linux or Mac System Logs

MacMa can clear possible malware traces such as application logs.(Citation: ESET DazzleSpy Jan 2022)

.004 Indicator Removal: File Deletion

MacMa can delete itself from the compromised computer.(Citation: ESET DazzleSpy Jan 2022)

.006 Indicator Removal: Timestomp

MacMa has the capability to create and modify file timestamps.(Citation: ESET DazzleSpy Jan 2022)

Enterprise T1056 .001 Input Capture: Keylogging

MacMa can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords.(Citation: Objective-See MacMa Nov 2021)(Citation: SentinelOne MacMa Nov 2021)

Enterprise T1553 .001 Subvert Trust Controls: Gatekeeper Bypass

MacMa has removed the `com.apple.quarantineattribute` from the dropped file, `$TMPDIR/airportpaird`.(Citation: ESET DazzleSpy Jan 2022)

.002 Subvert Trust Controls: Code Signing

MacMa has been delivered using ad hoc Apple Developer code signing certificates.(Citation: SentinelOne Macma 2021)

Groups That Use This Software

ID Name References
G1034 Daggerfly

(Citation: Symantec Daggerfly 2024)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.