S1016 MacMa
MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.1
| Item | Value |
|---|---|
| ID | S1016 |
| Associated Names | OSX.CDDS, DazzleSpy |
| Type | MALWARE |
| Version | 1.0 |
| Created | 06 May 2022 |
| Last Modified | 24 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| OSX.CDDS | 2 |
| DazzleSpy | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1123 | Audio Capture | MacMa has the ability to record audio.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | MacMa can execute supplied shell commands and uses bash scripts to perform additional actions.12 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.001 | Launch Agent | MacMa installs a com.apple.softwareupdate.plist file in the /LaunchAgents folder with the RunAtLoad value set to true. Upon user login, MacMa is executed from /var/root/.local/softwareupdate with root privileges. Some variations also include the LimitLoadToSessionType key with the value Aqua, ensuring the MacMa only runs when there is a logged in GUI user.12 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.001 | Keychain | MacMa can dump credentials from the macOS keychain.1 |
| enterprise | T1005 | Data from Local System | MacMa can collect then exfiltrate files from the compromised system.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | MacMa has stored collected files locally before exfiltration.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | MacMa decrypts a downloaded file using AES-128-EBC with a custom delta.1 |
| enterprise | T1573 | Encrypted Channel | MacMa has used TLS encryption to initialize a custom protocol for C2 communications.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | MacMa exfiltrates data from a supplied path over its C2 channel.1 |
| enterprise | T1083 | File and Directory Discovery | MacMa can search for a specific file on the compromised computer and can enumerate files in Desktop, Downloads, and Documents folders.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.002 | Clear Linux or Mac System Logs | MacMa can clear possible malware traces such as application logs.1 |
| enterprise | T1070.004 | File Deletion | MacMa can delete itself from the compromised computer.1 |
| enterprise | T1070.006 | Timestomp | MacMa has the capability to create and modify file timestamps.1 |
| enterprise | T1105 | Ingress Tool Transfer | MacMa has downloaded additional files, including an exploit for used privilege escalation.12 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | MacMa can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords.23 |
| enterprise | T1106 | Native API | MacMa has used macOS API functions to perform tasks.12 |
| enterprise | T1095 | Non-Application Layer Protocol | MacMa has used a custom JSON-based protocol for its C&C communications.1 |
| enterprise | T1571 | Non-Standard Port | MacMa has used TCP port 5633 for C2 Communication.1 |
| enterprise | T1057 | Process Discovery | MacMa can enumerate running processes.1 |
| enterprise | T1021 | Remote Services | MacMa can manage remote screen sessions.1 |
| enterprise | T1113 | Screen Capture | MacMa has used Apple’s Core Graphic APIs, such as CGWindowListCreateImageFromArray, to capture the user’s screen and open windows.12 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.001 | Gatekeeper Bypass | MacMa has removed the com.apple.quarantineattribute from the dropped file, $TMPDIR/airportpaird.1 |
| enterprise | T1082 | System Information Discovery | MacMa can collect information about a compromised computer, including: Hardware UUID, Mac serial number, macOS version, and disk sizes.1 |
| enterprise | T1016 | System Network Configuration Discovery | MacMa can collect IP addresses from a compromised host.1 |
| enterprise | T1033 | System Owner/User Discovery | MacMa can collect the username from the compromised machine.1 |
References
-
M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022. ↩↩↩↩↩↩↩↩↩
-
Stokes, P. (2021, November 15). Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma. Retrieved June 30, 2022. ↩