Skip to content

S1016 MacMa

MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.1

Item Value
ID S1016
Associated Names OSX.CDDS, DazzleSpy
Version 1.0
Created 06 May 2022
Last Modified 24 October 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
DazzleSpy 1

Techniques Used

Domain ID Name Use
enterprise T1123 Audio Capture MacMa has the ability to record audio.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell MacMa can execute supplied shell commands and uses bash scripts to perform additional actions.12
enterprise T1543 Create or Modify System Process -
enterprise T1543.001 Launch Agent MacMa installs a file in the /LaunchAgents folder with the RunAtLoad value set to true. Upon user login, MacMa is executed from /var/root/.local/softwareupdate with root privileges. Some variations also include the LimitLoadToSessionType key with the value Aqua, ensuring the MacMa only runs when there is a logged in GUI user.12
enterprise T1555 Credentials from Password Stores -
enterprise T1555.001 Keychain MacMa can dump credentials from the macOS keychain.1
enterprise T1005 Data from Local System MacMa can collect then exfiltrate files from the compromised system.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging MacMa has stored collected files locally before exfiltration.2
enterprise T1140 Deobfuscate/Decode Files or Information MacMa decrypts a downloaded file using AES-128-EBC with a custom delta.1
enterprise T1573 Encrypted Channel MacMa has used TLS encryption to initialize a custom protocol for C2 communications.1
enterprise T1041 Exfiltration Over C2 Channel MacMa exfiltrates data from a supplied path over its C2 channel.1
enterprise T1083 File and Directory Discovery MacMa can search for a specific file on the compromised computer and can enumerate files in Desktop, Downloads, and Documents folders.1
enterprise T1070 Indicator Removal -
enterprise T1070.002 Clear Linux or Mac System Logs MacMa can clear possible malware traces such as application logs.1
enterprise T1070.004 File Deletion MacMa can delete itself from the compromised computer.1
enterprise T1070.006 Timestomp MacMa has the capability to create and modify file timestamps.1
enterprise T1105 Ingress Tool Transfer MacMa has downloaded additional files, including an exploit for used privilege escalation.12
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging MacMa can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords.23
enterprise T1106 Native API MacMa has used macOS API functions to perform tasks.12
enterprise T1095 Non-Application Layer Protocol MacMa has used a custom JSON-based protocol for its C&C communications.1
enterprise T1571 Non-Standard Port MacMa has used TCP port 5633 for C2 Communication.1
enterprise T1057 Process Discovery MacMa can enumerate running processes.1
enterprise T1021 Remote Services MacMa can manage remote screen sessions.1
enterprise T1113 Screen Capture MacMa has used Apple’s Core Graphic APIs, such as CGWindowListCreateImageFromArray, to capture the user’s screen and open windows.12
enterprise T1553 Subvert Trust Controls -
enterprise T1553.001 Gatekeeper Bypass MacMa has removed the from the dropped file, $TMPDIR/airportpaird.1
enterprise T1082 System Information Discovery MacMa can collect information about a compromised computer, including: Hardware UUID, Mac serial number, macOS version, and disk sizes.1
enterprise T1016 System Network Configuration Discovery MacMa can collect IP addresses from a compromised host.1
enterprise T1033 System Owner/User Discovery MacMa can collect the username from the compromised machine.1