A newly identified MacOS backdoor detected by AV companies as OSX_OCEANLOTUS.D that is perceived as the latest version of a threat used by OceanLotus (a.k.a. APT 32, APT-C-00, SeaLotus, and Cobalt Kitty).
OceanLotus was responsible for launching targeted attacks against human rights organizations, media organizations, research institutes, and maritime construction firms. The attackers behind OSX_OCEANLOTUS.D target MacOS computers which have the Perl programming language installed.
The MacOS backdoor was found in a malicious Word document presumably distributed via email. The document bears the filename “2018-PHIẾU GHI DANH THAM DỰ TĨNH HỘI HMDC 2018.doc,” which translates to “2018-REGISTRATION FORM OF HMDC ASSEMBLY 2018.doc.” The document claims to be a registration form for an event with HDMC, an organization in Vietnam that advertises national independence and democracy.
The main loop of the backdoor has two main functions, infoClient and runHandle. infoClient is reponsible for collecting OS info, submitting this info to its C&C servers (the servers are malicious in nature), and receiving additional C&C communication information. Meanwhile, runHandle is responsible for the backdoor capabilities.
When the backdoor receives the response from the C&C server, the final payload needs to be decoded again in a similar manner via decryption and scrambling. Packet::getData decrypts the received payload and Converter::outString descrambles the result.
The received data from the C&C server include the following information:
- HandlePP::urlRequest (/appleauth/static/cssj/N252394295/widget/auth/app.css)
- STRINGDATA::BROWSER_SESSION_ID (m_pixel_ratio)
Malicious attacks targeting Mac devices are not as common as its counterparts, but the discovery of this new MacOS backdoor that is presumably distributed via phishing email calls for every user to adopt best practices for phishing attacks regardless of operating system.
End users can benefit from security solutions such as those made exclusively for Mac, which provides comprehensive security and multi-device protection against cyber threats. Enterprises can benefit from a more robust version of security, which infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity and any endpoint.