The cybersecurity experts at Trend Micro have recently detailed the new form of malware that targets all the Apple macOS users in a connected nation-state-backed OceanLotus Hacking Group.
The macOS backdoor alternative that has been revealed relies on multi-stage payloads and numerous updated anti-detection techniques. However, the cybersecurity experts have linked it to the OceanLotus advanced persistent threat (APT) group.
The OceanLotus is also known as APT32; it is a hacking group assumed to have links to the Vietnamese government. The former malware variants that are linked with OceanLotus; the newly discovered sample shows correlations in dynamic behavior and code, which clearly suggests a link to the attackers.
Arrival
According to the report, the sample appears as an app bundled in a Zip archive. It utilizes the icon for a Word document file as a mask, trying to legislate itself as an authorized document file.
It also uses some other techniques to evade detection, just by adding special characters to its app bundle name. However, the operating system detects the app bundle as an unsupported directory type.
So, as a default move, the “open” command is applied to perform the malicious app. Or else, if the postfix is .doc without specific characters, then Microsoft Word is requested to initiate the app bundle as a document; but as it is not a legitimate document, the app displeases to open it.
Routines Followed
Some routines are performed during the shell script runs, and here we have mentioned below:-
- Delete the file quarantine property for the files in “*ALL Tim Nha Chi Ngoc Canada.?doc*.”
- Try to remove the file quarantine property of the files in the system.
- Copy “ALL tim nha Chi Ngoc Canada.?doc/Contents/Resources/configureDefault.def(doc)” to “/tmp/ALL tim nha Chi Ngoc Canada.doc(doc)”
- Open “/tmp/ALL tim nha Chi Ngoc Canada.doc(doc)”
- Extract the b64-encoded fat binary to “ALL tim nha Chi Ngoc Canada.?doc/Contents/Resources/configureDefault.def(fat – binary)”, which is the second-stage payload
- Change access authorization of second-stage payload to perform the launch of the second-stage payload.
- Delete the malware app bundle “ALL Tim Nha Chi Ngoc Canada.?doc”.
- Copy “/tmp/ALL tim nha Chi Ngoc Canada.doc(doc)” to “{execution directory}/ALL tim nha Chi Ngoc Canada.doc”
- And lastly, delete “/tmp/ALL Tim Nha Chi Ngoc Canada.doc.”
Second Stage Payload
The second stage payload performs the following malware routines:-
- It drop the third-stage payload to ~/Library/User Photos/mount_devfs
- Create a persistence for the sample by creating ~/Library/LaunchAgents/com.apple.marcoagent.voiceinstallerd.plist
- It uses the touch command to modify the timestamp of the sample and delete itself.
Third Stage Payload
In this payload stage, the strings get encrypted with custom encryption utilizing base64 encoding and byte manipulation.
C&C Servers used by the malware
The malware uses three C&C servers, and here they are:-
- mihannevis[.]com
- mykessef[.]com
- idtpl[.]org
Supported commands and their codes
- 0x33: Get file size
- 0xe8: Exit
- 0xa2: Download and execute a file
- 0xac: Run command in terminal
- 0x48: Remove file
- 0x72: Upload file
- 0x23: Download file
- 0x3c: Download file
- 0x07: Get configuration info
- 0x55: Empty response, heartbeat packet
Mitigations
The experts reported that the OceanLotus are actively renewing there all malware modifications in attempts to avoid detection and increase persistence; there are some recommendation that has been given by the experts, and here they are mentioned below:-
- Never click links or download adjuncts from emails that are coming from unusual sources.
- Always patch and update software and applications.
- Practice security solutions that are suitable for your operating system.
Apart from this, the security experts are further investigating the campaign so that they can provide all the details regarding the operation.
Indicators of Compromise
SHA-256
cfa3d506361920f9e1db9d8324dfbb3a9c79723e702d70c3dc8f51825c171420 |
48e3609f543ea4a8de0c9375fa665ceb6d2dfc0085ee90fa22ffaced0c770c4f |
05e5ba08be06f2d0e2da294de4c559ca33c4c28534919e5f2f6fc51aed4956e3 |
fd7e51e3f3240b550f0405a67e98a97d86747a8a07218e8150d2c2946141f737 |
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.