{"id":166102,"date":"2024-07-24T10:09:37","date_gmt":"2024-07-24T10:09:37","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=166102"},"modified":"2024-07-24T10:09:38","modified_gmt":"2024-07-24T10:09:38","slug":"daggerfly-macma-macos-backdoor","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/166102\/apt\/daggerfly-macma-macos-backdoor.html","title":{"rendered":"China-linked APT group uses new Macma macOS backdoor version<\/gwmw>"},"content":{"rendered":"
<\/div>\n

China-linked APT group Daggerfly (aka Evasive Panda, Bronze Highland)\u00a0Evasive Panda has been spotted using an updated version of the macOS backdoor Macma. <\/h2>\n\n\n\n

The China-linked APT group Daggerfly (aka Evasive Panda or Bronze Highland) has significantly updated its malware arsenal, adding a new malware family based on the MgBot framework and an updated Macma macOS backdoor<\/a>.<\/p>\n\n\n\n

“The Daggerfly (aka Evasive Panda, Bronze Highland) espionage group has extensively updated its toolset, introducing several new versions of its malware, most likely in response to exposure of older variants.” reads the report<\/a>.<\/em>\u00a0“The new tooling was deployed in a number of recent attacks against organizations in Taiwan and a\u00a0U.S. NGO based in China, which indicates the group also engages in internal espionage. In the attack on this organization, the attackers exploited a vulnerability in an Apache HTTP server to deliver their MgBot malware.<\/gwmw>“<\/p>\n\n\n\n

The APT group was spotted using the malware families in attacks against Taiwanese organizations and a U.S. NGO in China. The attackers exploited an Apache HTTP server vulnerability to deliver their MgBot malware. <\/gwmw><\/p>\n\n\n\n

Daggerfly has been active for at least a decade, the group is known for the use of the custom MgBot malware framework. In 2023, Symantec identified a Daggerfly intrusion at an African telecom operator, using new MgBot plugins. This highlights the group’s ongoing evolution in cyber espionage tactics.<\/p>\n\n\n\n

The Macma macOS backdoor was\u00a0first detailed by Google in 2021<\/a>\u00a0and has been used since at least 2019. At the time of discovery, threat actors employed the malware in watering hole attacks involving compromised websites in Hong Kong. The watering hole attacks used exploits for iOS and macOS devices. Attackers exploited the privilege escalation vulnerability CVE-2021-30869<\/a> to install Macma on macOS devices.<\/p>\n\n\n\n

Macma is a modular backdoor that supports multiple functionalities, including device fingerprinting, executing commands, screen capture, keylogging, audio capture, uploading and downloading files.<\/p>\n\n\n\n

Although Macma was widely used in cyber operations carried out by nation-state actors, it was not linked to a particular group. However, Symantec has found evidence to suggest\u00a0that it is part of the Daggerfly toolkit. Two variants of the Macma backdoor C2 server (103.243.212[.]98) that was also used by an MgBot dropper.<\/p>\n\n\n\n

In addition to this shared infrastructure, Macma and other malware in the Daggerfly’s arsenal, including Mgbot all contain code from a single, shared library or framework. Elements of this library have been used to build Windows, macOS, Linux, and Android threats. The functionality provided by this library includes:<\/p>\n\n\n\n