Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент MacMa
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
MacMa
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

MacMa

MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.(Citation: ESET DazzleSpy Jan 2022)
ID: S1016
Associated Software: DazzleSpy OSX.CDDS
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 06 May 2022
Last Modified: 24 Oct 2022

Associated Software Descriptions
Name Description
DazzleSpy (Citation: ESET DazzleSpy Jan 2022)
OSX.CDDS (Citation: Objective-See MacMa Nov 2021)

Techniques Used
Domain ID Name Use
Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

MacMa can execute supplied shell commands and uses bash scripts to perform additional actions.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)
Enterprise T1543 .001 Create or Modify System Process: Launch Agent

MacMa installs a `com.apple.softwareupdate.plist` file in the `/LaunchAgents` folder with the `RunAtLoad` value set to `true`. Upon user login, MacMa is executed from `/var/root/.local/softwareupdate` with root privileges. Some variations also include the `LimitLoadToSessionType` key with the value `Aqua`, ensuring the MacMa only runs when there is a logged in GUI user.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)
Enterprise T1555 .001 Credentials from Password Stores: Keychain

MacMa can dump credentials from the macOS keychain.(Citation: ESET DazzleSpy Jan 2022)
Enterprise T1074 .001 Data Staged: Local Data Staging

MacMa has stored collected files locally before exfiltration.(Citation: Objective-See MacMa Nov 2021)
Enterprise T1070 .002 Indicator Removal: Clear Linux or Mac System Logs

MacMa can clear possible malware traces such as application logs.(Citation: ESET DazzleSpy Jan 2022)
.004 Indicator Removal: File Deletion

MacMa can delete itself from the compromised computer.(Citation: ESET DazzleSpy Jan 2022)

.006 Indicator Removal: Timestomp

MacMa has the capability to create and modify file timestamps.(Citation: ESET DazzleSpy Jan 2022)

Enterprise T1056 .001 Input Capture: Keylogging

MacMa can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords.(Citation: Objective-See MacMa Nov 2021)(Citation: SentinelOne MacMa Nov 2021)
Enterprise T1553 .001 Subvert Trust Controls: Gatekeeper Bypass

MacMa has removed the `com.apple.quarantineattribute` from the dropped file, `$TMPDIR/airportpaird`.(Citation: ESET DazzleSpy Jan 2022)

References

  1. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  2. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.
  3. Stokes, P. (2021, November 15). Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma. Retrieved June 30, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.