Trend Micro founds a new MacOS backdoor that linked to OceanLotus
In a blog post on Wednesday, Trend Micro’s security researcher Jaromir Horejsi stated that they have discovered that a new type of MacOS backdoor (detected by Trend Micro as OSX_OCEANLOTUS.D) is being used by the hacker group OceanLotus. Targets are Mac users who have installed Perl programming software. OceanLotus, also known as SeaLotus, Cobalt Kitty, APT-C-00, and APT32, is a hacker group believed to be associated with the Vietnamese government.
According to Horejsi, the new MacOS backdoor program is being distributed via malicious Word documents in phishing emails. The original document is named “2018-PHIẾU GHI DANH THAM DỰ TĨNH HỘI HMDC 2018.doc“, translated as “2018-REGISTRATION FORM OF HMDC ASSEMBLY 2018.doc“, and HMDC is an organization that promotes national independence and democracy in Vietnam.
Horejsi said that when the recipient opens the document, it advises the recipient to enable macros. The malicious macro uses a decimal ASCII code to confuse character by character to escape the detection of security products.
After removing the confusion, the researchers found that the payload was written in Perl. It will extract an XML file (theme0.xml) from the Word document. This is a Mach-O 32-bit executable with a 0xFEEDFACE signature that is used as a dropper for the OSX_OCEANLOTUS.D backdoor.
Horejsi said that all strings in the dropper assembly and the backdoor itself are encrypted using a hard-coded RSA256 key. Among them, encrypted strings exist in two forms: strings that use RSA256 encryption, and strings that use custom base64 encoding and RSA256 encryption.
When the dropper component executes, it first checks whether it is running with ROOT privileges. Based on this, it will use two different hard-coded hard-coded path and process names to install the final backdoor program.
When the dropper component installs the backdoor, it sets its attribute to “hidden” and uses the touch command to set the file creation date and time to a random value.
The backdoor program implements different functions by using two functions (infoClient and runHandle). infoClient is responsible for collecting operating system information and submitting this information to the command and control (C&C) server and receiving additional C&C communication information, while runHandle is responsible for Backdoor function.
Although Apple Mac computers are generally considered superior to Windows computers in preventing virus and malware invasion, it does not mean that Mac computers are absolutely safe. Therefore, regardless of the operating system version used, Mac users also need to be alert to phishing activities and take proactive precautions.
