A macOS backdoor variant has been uncovered that relies of multi-stage payloads and various updated anti-detection techniques. Researchers linked it to the OceanLotus advanced persistent threat (APT) group.
The Vietnam-backed OceanLotus (also known as APT 32) has been around since at least 2013, and previously launched targeted attacks against media, research and construction companies. Researchers said that in this case the attackers behind the malware variant appear to be hitting users from Vietnam, because the name of the lure document from the campaign is in Vietnamese. Older samples of the backdoor have targeted the same region before, according to researchers with Trend Micro.
“Some of the updates of this new variant include new behavior and domain names,” said researchers Luis Magisa and Steven Du. “Threat groups such as OceanLotus are actively updating malware variants in attempts to evade detection and improve persistence.”
The initial attack vector (such as phishing emails or otherwise) behind the malware is unclear; researchers told Threatpost that because the initial file is a document they assume it came through an email. However, the OceanLotus APT was recently discovered using malicious websites as well as Google Play apps to spread other malware. Researchers also currently have no knowledge of any targets in the campaign, they told Threatpost.
The malware is packed in an app, bundled in a .zip archive. The app attempts to pass itself off as a Microsoft Word document (using the Word icon). The app bundle contains two notable files: The shell script containing the main malicious processes, and the “Word” file displayed during execution.
In another attempt at evading detection, the app bundle’s name utilizes special characters – three bytes (“efb880”) that are in UTF-8 encoding.
“When a user looks for the fake doc folder via the macOS Finder app or the terminal command line, the folder’s name shows ‘ALL tim nha Chi Ngoc Canada.doc’ (‘tìm nhà Chị Ngọc’ roughly translates to ‘find Mrs. Ngoc’s house’),” said researchers in a Friday analysis. “However, checking the original .zip file that contains the folder shows three unexpected bytes between ‘.’ and ‘doc’.”
These bytes are special unicode control characters that don’t change the visual appearance of the file. However, while the file visually looks like a normal file, the operating system sees the app bundle as an unsupported directory type due to these special characters. Therefore, as a default action the “open” command is used to execute the malicious app, said researchers.
Once the app is executed, the malware launches a second-stage payload (ALL tim nha Chi Ngoc Canada.?doc/Contents/Resources/configureDefault.def), which in turn drops a third-stage payload before deleting itself.
The third-stage payload uses custom encryption, with base64 encoding and byte manipulation. This payload has capabilities for collecting operating system information and submitting the data to its command-and-control (C2) servers; as well as receiving additional C2 communication information.
Its backdoor functionalities include the ability to get processor and memory information, get the serial number and get the network interface MAC addresses. All this information is encrypted and sent to the C2 server. Other supported commands include: Getting the file size; downloading and executing files; running commands in terminal; downloading and removing files; and getting config information.
Researchers said this malware variant has similarities to another OceanLotus backdoor discovered in 2018, including identical supported commands and their respective codes used in both variants.
“The TTPs and some of its critical function logic are very similar to previous Oceanlotus malware, which led us to believe that it belongs to Oceanlotus,” researchers told Threatpost.
OceanLotus has previously been found using other detection evasion tactics, including steganography and injecting malware into the Windows Error Reporting (WER) service to evade detection. From at least January to April, researchers saw the group attacking China’s Ministry of Emergency Management, as well as the government of Wuhan province, in an apparent bid to steal intelligence regarding the country’s COVID-19 response. Also in 2020, the group was spotted launching an espionage campaign aimed at Android users in Asia.
Researchers said that to avoid malware such as this, macOS users should never click links or download attachments from emails coming from suspicious sources, and regularly patch their software and applications.
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from world-class security experts on new kinds of attacks, the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.
