In November 2020, malware researchers detected a new backdoor targeting macOS devices. Compiled three multi-stage payloads and equipped with innovative anti-detection techniques, this new threat comes most likely from the already known Vietnam-backed Advanced Persistent Threat (APT) group called OceanLotus. Between January and April 2020, OceanLotus attacked China's Ministry of Emergency Management and the Wuhan province government, apparently in an attempt to steal intelligence regarding the country's COVID-19 response. Again in 2020, some cyber espionage campaigns against Android users in Asia have also been attributed to the same APT group.
Also called APT32, OceanLotus exists at least since 2013 and is linked to several major attacks against organizations from the media, research, and construction sectors. Unlike the older variants of the OceanLotus Backdoor from 2018, the latest versions have been updated with some new behavioral patterns, techniques to avoid detection, and mechanisms to ensure persistence.
OceanLotus Targets Are Not Entirely In Focus
No particular targets have been identified for the most recent OceanLotus attacks yet; however, the hackers seem to be aiming at the Vietnamese market because of the use of the Vietnamese language in some of the malware's files. The exact initial vector of the infection is also still unclear. Due to the appearance of the first-stage payload that resembles a Word document, researchers suppose it could be through phishing emails, although OceanLotus APT has also been observed to use corrupted websites and compromised Google Play Apps to spread other malware threats.
Research shows the attackers have packed the backdoor in an application disguised as a Microsoft Word document using the Word icon. This app is bundled in a .zip archive, whereby the bundle contains two payloads – the shell scripts with the main corrupted processes and the fake 'Word' file displayed upon execution. The bundle's name consists of special characters – three-bytes ('efb880") in UTF-8 encoding to avoid detection. Later, the fake Word doc can be found in a folder named 'ALL tim nha Chi Ngoc Canada.doc,' which roughly translated from Vietnamese means 'find Mrs. Ngoc's house."
Checking the original .zip file with the folder, however, shows that it contains three special Unicode control characters between '.' and 'doc.' These make the app bundle look like a 'normal' Word file to the user, but the operating system recognizes it as an unsupported directory type. As a result, the default 'Open' command actually executes the harmful payload. Once completed, the application drops the second-stage payload as 'ALL tim nha Chi Ngoc Canada.?doc/Contents/Resources/configureDefault.def' that, in turn, runs the third-stage payload and then deletes itself.
The third-stage payload has the backdoor's main functionalities, like collecting information about the operating system (including process and memory information, network interface MAC addresses, serial number), and encrypting and transmitting the data to the hackers' Command-and-Control servers. It also receives additional commands from the servers. The new OceanLotus Backdoor supports other commands as well – downloading and executing files, removing files, running commands in the terminal, and getting config information.
Due to its supposed channels of distribution, like spam email campaigns, threatening applications, and compromised websites, macOS users should never click on suspicious links or open attachments from unknown senders to avoid OceanLotus attacks. Applications also should be downloaded only from the developer's official website and other trusted sources.