CTI Roundup: Evasive Panda Deploys New Malware, Macma Backdoor and Nightdoor

This week, CTI looks at a Chinese government-backed actor known as Evasive Panda which has updated its toolset to introduce new versions of its Macma mac backdoor and the Nightdoor Windows malware. Next, CTI recaps Europol’s 10th edition of their Internet Organised Crime Threat Assessment (IOCTA). Finally, CTI wraps up with a look at Play ransomware — an operation that is now deploying a Linux variant of their ransomware to target VMware ESXi environments.

1. Evasive Panda deploys new versions of Macma backdoor

A Chinese government-backed actor has updated its toolset to introduce multiple new versions of its Macma mac backdoor and a new Nightdoor Windows malware. The actor has deployed this new tooling in several recent attacks against organizations located in Taiwan and against an American non-governmental organization in China.

What is Macma macOS backdoor?

Macma is a macOS-specific backdoor. It was first documented by Google in 2021, but there is evidence to suggest it has been in use since at least 2019.

When Macma was first discovered it was primarily being used in watering hole attacks in Hong Kong. This backdoor is modular and has capabilities including fingerprinting, command execution, screen capture, keylogging, audio capture, and the ability to upload and download files.

Symantec has discovered more recent variants of the backdoor. One variant had an entirely different main module, while another had incremental updates. Some of the differences in the new variants include updated modules, updated file directory paths and filenames, and additional debug logging. The malware’s main module was updated to include new logic, modified code, and a new file.

Macma attribution

Researchers are attributing this latest activity to a China-backed actor known as Evasive Panda, aka Daggerfly. While Macma previously wasn’t linked to any specific group, Symantec believes that it is now part of Daggerfly’s arsenal.

Two of the variants they identified connected to a C2 server that was used by an MgBot dropper that is commonly used by Daggerfly. This shared infrastructure is a key indicator of attribution. Additionally, MgBot and Macma were found to contain code from a shared library or framework.

New Windows backdoor

Symantec also discovered the actor using a Windows backdoor, Trojan.Suzafk, that was first reported earlier this year by ESET and dubbed Nightdoor.

The Windows backdoor was observed alongside MgBot and again was developed with the same shared library as many Daggerfly tools.

This backdoor is multi-staged and uses TCP or OneDrive for its C2 communications. The loader will drop a DLL and an executable. The executable is a legitimate app called DAEMON Tools Lite Helper while the DLL is a loader meant to create scheduled tasks and load the final payload.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This actor has been around for over a decade, primarily executing espionage campaigns. The continued evolution of the actor’s arsenal is one of the main reasons the actor remains successful.

Because this group is ‘heavily resourced,’ they can quickly develop and use new variants after previous variants are publicly reported on. Symantec believes that the group is using a custom framework to develop their malware variants from, as they were unable to link it to any publicly available frameworks. This further supports the actor’s ability to quickly create new variants.

2. Cybercriminals work independently after RaaS takedowns

Europol has released the 10th edition of its Internet Organised Crime Threat Assessment (IOCTA), which looks at the threat landscape as a whole and analyzes a range of evolving threats and trends ranging from cyberattacks to payment fraud schemes. A portion of the assessment focuses on the impact of law enforcement disruptions. One of the key findings is an increased difficulty in actor tracking and an increase in actors opting to work independently.

The RaaS model operates in a way that almost forces ransomware operations to compete for affiliates and position themselves as the more attractive RaaS. This model already makes attribution a little muddy as affiliates could belong to more than one RaaS.

Recent law enforcement takedowns make attribution even more difficult by forcing operations to rebrand or dismantle and pushing actors to either join other groups or work with members of other groups to create entirely new operations. The shuffling of actors between ransomware groups makes it increasingly difficult to understand what operator is truly behind an attack.

Europol refers to the ransomware landscape as “fragmented” because of the increased law enforcement efforts.

Because law enforcement efforts can disrupt a ransomware operation, there is the potential for affiliates to either join another group or to break off on their own. While the latter is not seen every day it is still plausible — especially as affiliates grow tired of having to continually switch operations.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Recent law enforcement efforts and disruptions over the last several months have certainly had an impact on the ransomware landscape. While they are not enough to breakdown the threat entirely, they are absolutely causing a shift in how ransomware actors are operating.

These takedown and disruption efforts are essentially testing the loyalties of actors and even increasing the number of actors that are willing to break off from the RaaS model and potentially begin to operate independently.

This potential shift towards independent actors comes with its own challenges. Aside from making attribution more difficult, it also would likely flood the landscape with tons of malware and ransomware variants, each with their own slight modifications.

3. Linux Play variant targets VMware ESXi systems

Play ransomware is now deploying a Linux variant of their ransomware to target VMware ESXi environments.

The latest Play attacks are primarily targeting organizations in the United States across several industries including manufacturing, professional services, and IT. Researchers also identified a connection between Play ransomware and Prolific Puma, an actor that operates a link-shortening service.

What is Play ransomware?

The Play ransomware operation first emerged in June 2022 and quickly became known across the industry for its use of custom-built tools.

The addition of a Linux variant to target VMware ESXi environments enables the group to target additional victims. According to Symantec, between January and July of 2024, the operation had 187 victims across multiple sectors — and 82.4% were in the U.S.

Play’s infection chain

The Play Linux variant had zero detections in VirusTotal at the time of Trend Micro’s report. Trend Micro has not yet seen an infection in the wild stemming from this variant but has confirmed that the C2 server is hosting many of the tools that the actor tends to use in its attacks.

The Linux variant appears to be similar to the Windows variant and accepts many of the same arguments. Some of these include executing normal functionality and encrypting a specified drive, network shared resource, or specific file/folder. This variant will run several commands to confirm that it is running in an ESXi environment before fully executing and will delete itself if not.

Shell script commands will be executed if it is found to be running in an ESXi environment, one of which is responsible for scanning and shutting down any identified VMs. The ransomware will move on to execute several commands that will encrypt VM files including the VM disk, config, and metadata files, appending them with the .play extension and dropping the ransom note.

Play’s Prolific Puma connection

Trend Micro noticed that the URL that hosts the ransomware payload and tools was related to another actor known as Prolific Puma. This actor creates domains using a random destination generator algorithm and then uses them in their link-shortening service that they sell.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This discovery makes Play the latest ransomware operation in a growing list of actors with an interest in targeting Linux to increase the number of potential victims.

The fact that Play is leveraging the link-shortening services provided by Prolific Puma further signals the group’s evolution. Trend Micro notes that Prolific Puma is ‘discerning in its client selection process, preferring to engage with individuals or groups deemed deserving of its services,’ indicating that other actors, like Prolific Puma, see the Play ransomware operation as sophisticated or ‘worthy.’

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.