OceanLotus hacker group launches malicious MacOS backdoor

News by Jay Jay

Researchers at Trend Micro have discovered how the hacker group OceanLotus, which is also known in cyber-security as APT 32, APT-C-00, SeaLotus, and Cobalt Kitty, is using a new backdoor to target MacOS computers.

Researchers at Trend Micro have discovered how the hacker group OceanLotus, which is also known in cyber-security circles as APT 32, APT-C-00, SeaLotus, and Cobalt Kitty, is using a new MacOS backdoor to target MacOS computers which have the Perl programming language installed.

The researchers observed the presence of the malicious backdoor in certain Word documents which were sent by OceanLotus hackers to their victims by way of phishing emails and featured the Vietnamese filename “2018-PHI?U  GHI  DANH  THAM  D?  TINH  H?I HMDC 2018.doc,” which translates to “2018-REGISTRATION FORM OF HMDC ASSEMBLY 2018.doc.”

Once a recipient of such an email downloads and opens the Word document, the victim is prompted to enable macros that are obfuscated by hackers using the decimal ASCII code. Upon further analysis, the researchers found that these documents contained a payload written in the Perl programming language which, in turn, extracted a Mach-O 32-bit executable file named thexe0.xml which then served as the dropper for the final payload or backdoor.

The researchers added that the backdoor contains a function named infoClient which collects information about the OS and sends it to a remote C&C server before receiving further commands from the server. Yet another function named runHandle handles other backdoor capabilities like downloading and executing files or running command line programme in the terminal.

The researchers described the process used by the hackers to inject such malicious backdoors into MacOS systems in detail and warned that even though such malicious attacks targeting Mac devices are not as common as attacks on Windows or Linux systems, users must adopt best practices in order to defend against threats that are distributed via phishing emails.

Ed Williams, director EMEA, SpiderLabs at Trustwave, told SC Magazine UK that since Mac users can now easily integrate with larger enterprises and benefit from cloud-based services like Office365 or gsuite, they are very much a real and present target for hackers.  

When asked if Mac users can take the help of new software solutions to detect and analyse phishing emails, Williams said that nowadays, the cloud offers significant benefit to users such as advanced threat protection, safe links, macro protection from the Internet and anti-impersonation techniques that enterprise MacOS users can use to decrease the effectiveness of these types of attacks.

"As well as utilising the cloud, hardening of the Mac itself is important, these end user devices are the battle ground for modern organisations and careful consideration needs to be put in place around their deployment and security.  In the above example (APT 32), I'd question is Perl required for all users? I very much doubt it, this should be whitelisted unless there is a legitimate business requirement for this, similarly with Python.

"This may boil down to a lack of understanding around what the attackers can use to create back-doors, do sysadmins realise that Perl and Python are installed on the Mac, do they know that curl also comes pre-bundled and can be used for malicious actions – again, I very much doubt it.  We talk about user awareness, which is important, we also need to help the techies in terms of their awareness – this is equally as important,” he added.

Stephen Burke, founder & CEO of Cyber Risk Aware told SC Magazine UK that since users place a lot of trust on technical defences in order to defend against the latest threats, this can lead to users becoming too trusting of technical defences and result in a decrease in cyber-awareness.

"To overcome this, organisations - such as those targeted by OceanLotus -  must promote company-wide cyber-awareness through various training programmes. This can then lead to employees creating a highly effective network of human sensors and form a ‘human firewall' which acts as a last line of defence that effectively protects their network," he added. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews