HQ/EMEAFind out how we can help your business
The notorious Chinese-speaking threat group Evasive Panda has been employing new versions of the Macma backdoor to target macOS-based devices. Based on reports, the primary targets of this new campaign are Taiwan-based corporations and an American non-governmental organisation in China.
Evasive Panda allegedly exploited a flaw in an Apache HTTP server to distribute a new version of their hallmark modular malware framework, MgBot, showing its sophistication and evolution to avoid security detections.
Researchers claimed this threat group has operated since at least 2012, carrying out internal and international espionage operations. Separate investigations also discovered an unusual behaviour in which a cyberespionage organisation used Tencent QQ software upgrades to infect NGO members in China with the MgBot virus.
The actors allegedly executed the campaign through a supply chain or an adversary-in-the-middle (AITM) attack, but the specific method of the campaign is still unverified.
Evasive Panda is the primary suspect of using the Macma malware.
Macma is a modular macOS virus initially identified by researchers in 2021; however, it has never been linked to a specific threat group. According to investigations, the latest Macma variations feature constant development since its authors continue to upgrade its capabilities.
Researchers also confirmed that the latest variations employed by Evasive Panda attacks include new upgrades, such as new logic for collecting a file’s system listing, with code based on a Tree, changed code in the AudioRecorderHelper functionality, additional parametrisation, and additional debug logging.
On the other hand, the first sign of a connection between Macma and Evasive Panda is that two of the most recent variants connect to a C2 shared by a MgBot dropper.
Macma and other malware strains in the same group’s toolset use code from a shared library or framework containing threat and synchronisation, event notifications and timers, data marshalling, and platform-independent abstractions.
Furthermore, Evasive Panda used this library to create malware strains for Windows, macOS, Linux, and Android. Users and organisations, especially in Taiwan, should improve their security defences regardless of the Operating System of their devices since the malware continuously improves over time.
