New MacOS Backdoor Linked to OceanLotus Hacking Group Targets Various Organizations Around the Globe

The cybersecurity experts at Trend Micro have recently detailed the new form of malware that targets all the Apple macOS users in a connected nation-state-backed OceanLotus Hacking Group.

The macOS backdoor alternative that has been revealed relies on multi-stage payloads and numerous updated anti-detection techniques. However, the cybersecurity experts have linked it to the OceanLotus advanced persistent threat (APT) group.

The OceanLotus is also known as APT32; it is a hacking group assumed to have links to the Vietnamese government. The former malware variants that are linked with OceanLotus; the newly discovered sample shows correlations in dynamic behavior and code, which clearly suggests a link to the attackers.

Arrival

According to the report, the sample appears as an app bundled in a Zip archive. It utilizes the icon for a Word document file as a mask, trying to legislate itself as an authorized document file.

It also uses some other techniques to evade detection, just by adding special characters to its app bundle name. However, the operating system detects the app bundle as an unsupported directory type. 

So, as a default move, the “open” command is applied to perform the malicious app. Or else, if the postfix is .doc without specific characters, then Microsoft Word is requested to initiate the app bundle as a document; but as it is not a legitimate document, the app displeases to open it.

Routines Followed

Some routines are performed during the shell script runs, and here we have mentioned below:-

  • Delete the file quarantine property for the files in “*ALL Tim Nha Chi Ngoc Canada.?doc*.”
  • Try to remove the file quarantine property of the files in the system.
  • Copy “ALL tim nha Chi Ngoc Canada.?doc/Contents/Resources/configureDefault.def(doc)” to “/tmp/ALL tim nha Chi Ngoc Canada.doc(doc)”
  • Open “/tmp/ALL tim nha Chi Ngoc Canada.doc(doc)”
  • Extract the b64-encoded fat binary to “ALL tim nha Chi Ngoc Canada.?doc/Contents/Resources/configureDefault.def(fat – binary)”, which is the second-stage payload
  • Change access authorization of second-stage payload to perform the launch of the second-stage payload.
  • Delete the malware app bundle “ALL Tim Nha Chi Ngoc Canada.?doc”.
  • Copy “/tmp/ALL tim nha Chi Ngoc Canada.doc(doc)” to “{execution directory}/ALL tim nha Chi Ngoc Canada.doc”
  • And lastly, delete “/tmp/ALL Tim Nha Chi Ngoc Canada.doc.”

Second Stage Payload

The second stage payload performs the following malware routines:-

  • It drop the third-stage payload to ~/Library/User Photos/mount_devfs
  • Create a persistence for the sample by creating ~/Library/LaunchAgents/com.apple.marcoagent.voiceinstallerd.plist
  • It uses the touch command to modify the timestamp of the sample and delete itself.

Third Stage Payload

In this payload stage, the strings get encrypted with custom encryption utilizing base64 encoding and byte manipulation.

C&C Servers used by the malware

The malware uses three C&C servers, and here they are:-

  • mihannevis[.]com
  • mykessef[.]com
  • idtpl[.]org

Supported commands and their codes

  • 0x33: Get file size
  • 0xe8: Exit
  • 0xa2: Download and execute a file
  • 0xac: Run command in terminal
  • 0x48: Remove file
  • 0x72: Upload file
  • 0x23: Download file
  • 0x3c: Download file
  • 0x07: Get configuration info
  • 0x55: Empty response, heartbeat packet

Mitigations

The experts reported that the OceanLotus are actively renewing there all malware modifications in attempts to avoid detection and increase persistence; there are some recommendation that has been given by the experts, and here they are mentioned below:-

  • Never click links or download adjuncts from emails that are coming from unusual sources.
  • Always patch and update software and applications.
  • Practice security solutions that are suitable for your operating system.

Apart from this, the security experts are further investigating the campaign so that they can provide all the details regarding the operation.

Indicators of Compromise

SHA-256

cfa3d506361920f9e1db9d8324dfbb3a9c79723e702d70c3dc8f51825c171420 
48e3609f543ea4a8de0c9375fa665ceb6d2dfc0085ee90fa22ffaced0c770c4f
05e5ba08be06f2d0e2da294de4c559ca33c4c28534919e5f2f6fc51aed4956e3
fd7e51e3f3240b550f0405a67e98a97d86747a8a07218e8150d2c2946141f737 

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.