Security researchers have discovered a new macOS backdoor linked to the OceanLotus hacking group. The new malware variant has added new features such as new behavior and domain names.
The OceanLotus Group, also known as APT32, is thought to have links to the Vietnamese government.
“OceanLotus was responsible for targeted attacks against organizations from industries such as media, research, and construction. Recently they have also been discovered by researchers from Volexity to be using malicious websites to propagate malware,” Trend Micro explained in the blog post.
According to the report, the malware was disguised as a legitimate Word document via in icon, which was an app bundled in a Zip archive.
In addition, the malware uses techniques to evade detection by adding special characters to its app bundle name.
“When a user looks for the fake doc folder via the macOS Finder app or the terminal command line, the folder’s name shows ‘ALL tim nha Chi Ngoc Canada.doc’,” Trend Micro explained.
“However, checking the original Zip file that contains the folder shows 3 unexpected bytes between ‘.’ and ‘doc’.”
The bytes use a special UTF-8 encoding that basically “tricks” the operating system into seeing the app bundle as an unsupported directory type. As a result, the system uses the default action “open” command to execute the malicious app.
The malware then runs a shell script and performs various routines and then downloads second-stage and third-stage payloads.
Finally, Trend Micro said the new version contains two primary functions:
- Collecting operating system information and submitting this to its malicious command and control (C2) servers and receiving additional C2 communication information.
- Backdoor capabilities.
Readers may also remember that just this past July, researchers warned organizations to be on the lookout for another macOS malware dubbed “ThiefQuest.” Also known as EvilQuest, that malware similarly targeted macOS systems and encrypted files and installed keyloggers.
You can check out the Trend Micro report for more details on the malware to include supported commands, C2 domain names, and indicators of compromise.
- APT actors exploit legacy internet-facing vulnerabilities in combination with Zerologon to target organizations
- APT41 launches broad cyber campaign with multiple exploits
- APT33 uses a dozen botnets in targeted malware campaign
- Microsoft takes down 99 websites used by APT35/Phosphorus
- APT28 Group DDE attacks with Seduploader