MacMa
Associated Software Descriptions |
|
Name | Description |
---|---|
DazzleSpy | (Citation: ESET DazzleSpy Jan 2022) |
OSX.CDDS | (Citation: Objective-See MacMa Nov 2021) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
MacMa can execute supplied shell commands and uses bash scripts to perform additional actions.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021) |
Enterprise | T1543 | .001 | Create or Modify System Process: Launch Agent |
MacMa installs a `com.apple.softwareupdate.plist` file in the `/LaunchAgents` folder with the `RunAtLoad` value set to `true`. Upon user login, MacMa is executed from `/var/root/.local/softwareupdate` with root privileges. Some variations also include the `LimitLoadToSessionType` key with the value `Aqua`, ensuring the MacMa only runs when there is a logged in GUI user.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021) |
Enterprise | T1555 | .001 | Credentials from Password Stores: Keychain |
MacMa can dump credentials from the macOS keychain.(Citation: ESET DazzleSpy Jan 2022) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
MacMa has stored collected files locally before exfiltration.(Citation: Objective-See MacMa Nov 2021) |
Enterprise | T1070 | .002 | Indicator Removal: Clear Linux or Mac System Logs |
MacMa can clear possible malware traces such as application logs.(Citation: ESET DazzleSpy Jan 2022) |
.004 | Indicator Removal: File Deletion |
MacMa can delete itself from the compromised computer.(Citation: ESET DazzleSpy Jan 2022) |
||
.006 | Indicator Removal: Timestomp |
MacMa has the capability to create and modify file timestamps.(Citation: ESET DazzleSpy Jan 2022) |
||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
MacMa can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords.(Citation: Objective-See MacMa Nov 2021)(Citation: SentinelOne MacMa Nov 2021) |
Enterprise | T1553 | .001 | Subvert Trust Controls: Gatekeeper Bypass |
MacMa has removed the `com.apple.quarantineattribute` from the dropped file, `$TMPDIR/airportpaird`.(Citation: ESET DazzleSpy Jan 2022) |
.002 | Subvert Trust Controls: Code Signing |
MacMa has been delivered using ad hoc Apple Developer code signing certificates.(Citation: SentinelOne Macma 2021) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G1034 | Daggerfly |
(Citation: Symantec Daggerfly 2024) |
References
- M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
- Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
- Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.
- Phil Stokes. (2021, November 15). Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma. Retrieved July 26, 2024.
- Stokes, P. (2021, November 15). Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma. Retrieved June 30, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.