A recent macOS backdoor that they suspect is used by the Vietnamese threat actor OceanLotus has been found by Trend Micro’s security researchers.
OceanLotus has been found specifically targeting government and corporate institutions in Southeast Asia, often referred to as APT-C-00 and APT32, and considered to be well-resourced and committed. The organization participated in COVID-19 hacking attacks against China earlier this year.
The newly discovered sample reveals correlations in complex behavior and code, strongly indicating a connection to the threat actor, relative to previous malware variants associated with OceanLotus.
A document used in the campaign has a Vietnamese tag, which has lead researchers to conclude that the latest malware has been targeted by users from Vietnam.
The sample masquerades as a Word document, but in an effort to evade detection, it is an app packaged in a ZIP folder that contains unique characters in its name.
The app package, Trend Micro notes, is used as an unsupported directory type by the operating system which ensures that the ‘open’ command is used to execute it.
The security researchers find two files inside the app package, namely a shell script that executes several malicious routines, and a Word file that is seen during execution.
The shell script is responsible for deleting the file quarantine attribute of the bundle files and for deleting the file quarantine attribute of the device directories, copying and opening the Word document to the temp directory, extracting the second-stage binary and modifying its access permissions, and then removing the bundle of malware apps and the Word document from the system.
It is responsible for lowering a third-stage payload for the second-stage payload, generating longevity, modifying the sampling timestamp using the touch command, and deleting itself.
The third stage payload has two main features, including cryptographic strings, for gathering and transmitting operating system information to command and control (C&C) servers, for receiving additional contact information, and for executing backdoor operations.
The backdoor will perform different operations depending on the received commands, similar to older OceanLotus samples: get file size, fetch and run the file, remove/download/upload file, exit, execute commands in the terminal, and get configuration information.
Trend Micro, which has also studied some of the C&C domains used by the current survey, advises that all organizations educate personnel to refrain from clicking on links or uploading attachments from questionable sites, retaining modified operating systems and software, and remaining safe by using encryption solutions.