China-linked APT group uses new Macma macOS backdoor version

China-linked APT group Daggerfly (aka Evasive Panda, Bronze Highland) Evasive Panda has been spotted using an updated version of the macOS backdoor Macma.

The China-linked APT group Daggerfly (aka Evasive Panda or Bronze Highland) has significantly updated its malware arsenal, adding a new malware family based on the MgBot framework and an updated Macma macOS backdoor.

“The Daggerfly (aka Evasive Panda, Bronze Highland) espionage group has extensively updated its toolset, introducing several new versions of its malware, most likely in response to exposure of older variants.” reads the report. “The new tooling was deployed in a number of recent attacks against organizations in Taiwan and a U.S. NGO based in China, which indicates the group also engages in internal espionage. In the attack on this organization, the attackers exploited a vulnerability in an Apache HTTP server to deliver their MgBot malware.“

The APT group was spotted using the malware families in attacks against Taiwanese organizations and a U.S. NGO in China. The attackers exploited an Apache HTTP server vulnerability to deliver their MgBot malware.

Daggerfly has been active for at least a decade, the group is known for the use of the custom MgBot malware framework. In 2023, Symantec identified a Daggerfly intrusion at an African telecom operator, using new MgBot plugins. This highlights the group’s ongoing evolution in cyber espionage tactics.

The Macma macOS backdoor was first detailed by Google in 2021 and has been used since at least 2019. At the time of discovery, threat actors employed the malware in watering hole attacks involving compromised websites in Hong Kong. The watering hole attacks used exploits for iOS and macOS devices. Attackers exploited the privilege escalation vulnerability CVE-2021-30869 to install Macma on macOS devices.

Macma is a modular backdoor that supports multiple functionalities, including device fingerprinting, executing commands, screen capture, keylogging, audio capture, uploading and downloading files.

Although Macma was widely used in cyber operations carried out by nation-state actors, it was not linked to a particular group. However, Symantec has found evidence to suggest that it is part of the Daggerfly toolkit. Two variants of the Macma backdoor C2 server (103.243.212[.]98) that was also used by an MgBot dropper.

In addition to this shared infrastructure, Macma and other malware in the Daggerfly’s arsenal, including Mgbot all contain code from a single, shared library or framework. Elements of this library have been used to build Windows, macOS, Linux, and Android threats. The functionality provided by this library includes:

• Threading and synchronization primitives
• Event notifications and timers
• Data marshaling
• Platform-independent abstractions (e.g. time)

The new variants used by Daggerfly implement the following additions/improvements:

• New logic to collect a file’s system listing, with the new code based on Tree, a publicly available Linux/Unix utility. 
• Modified code in the AudioRecorderHelper feature
• Additional parametrisation
• Additional debug logging
• Addition of a new file (param2.ini) to set options to adjust screenshot size and aspect ratio

The experts also observed another malware, tracked as Suzafk (aka ‘NetMM’, Nightdoor), in the group toolkit that ESET researchers linked to Evasive Panda in March.

“Suzafk is a multi-staged backdoor capable of using TCP or OneDrive for C&C. The malware contained the following configuration, indicating the functionality to connect to OneDrive is in development or present in other variants of the malware.” continues the report.

The backdoor includes the code from the al-khaser project, a public code repository developed to avoid detection by detecting virtual machines, sandboxes, and malware analysis environments.

The malware can also execute commands for network and system monitoring, such as ‘ipconfig,’ ‘systeminfo,’ ‘tasklist,’ and ‘netstat.’

“The [Daggerfly] group can create versions of its tools targeting most major operating system platforms.” concludes the report. “In addition to the tools documented here, Symantec has seen evidence of the ability to Trojanize Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting Solaris OS. Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Daggerfly)