Skip to content

Hide Navigation Hide TOC

MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)

MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.(Citation: ESET DazzleSpy Jan 2022) MacMa shares command and control and unique libraries with MgBot and Nightdoor, indicating a relationship with the Daggerfly threat actor.(Citation: Symantec Daggerfly 2024)

Cluster A Galaxy A Cluster B Galaxy B Level
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36) Attack Pattern 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 1
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584) Attack Pattern 1
Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 1
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 1
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36) Attack Pattern 2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 2
Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 2