A new backdoor has been discovered by researchers at Trend Micro, which attacks MacOS systems, and is likely linked to the OceanLotus threat group.
The cybersecurity firm, in a recent blog post, said the backdoor it dubbed OSX_OCEANLOTUS.D, targets Apple Mac operating systems that have the Perl programming language installed.
The backdoor was uncovered within a malicious Windows Word document, which was likely distributed via email spear and phishing campaigns. It appears to come from HDMC, a Vietnamese organization that promotes national independence and democracy; and has specifically targeted human rights organizations, media organizations, research institutes and maritime construction firms.
The OceanLotus threat group (also known as APT 32, APT-C-00, SeaLotus, and Cobalt Kitty) likely operates out of Vietnam, and targets high-profile Vietnamese entities, in addition to corporate and government groups located in the Philippines, Laos and Cambodia.
Security firm Volexity has been tracking the activities of the OceanLotus Group since last year. The group was first identified in 2015 by SkyEye Labs, and is thought to be a Vietnam-based APT group that has “become increasingly sophisticated in its attack tactics, techniques and procedures (TTPs)”.
Volexity describes OceanLotus as “one of the more sophisticated APT actors currently in operation”, and believes that the group “has been rapidly developing a highly skilled and organized computer network exploitation (CNE) capability”.
The latest element to the campaign is triggered by a target opening the Word attachment then enabling macros, which initiates the backdoor into the MacOS system. Each string in the dropper is encrypted with a hardcoded RSA256 key.
The dropper is able to ascertain whether or not the victim is logged in as root, and will then simply modify the download file paths depending on the situation. Malicious files that have been downloaded and installed by the dropper aim to enable persistence and ensure the malware loads at start up — including the backdoor. Their attributes are set to hidden with a random date and time to avoid discovery.
The dropper will delete itself once its tasks are finished in order to avoid arousing suspicion. The MacOS backdoor has two main functions. The infoClient process gathers information relating to the operating system, submits data to the malware’s command and control (C&C) servers, and receives instructions from the operators of the malware. Information sent to the C&C server is both encrypted and scrambled, then decoded on the other side. The second part of the process, runHandle, maintains the backdoor.