New MacOS backdoor connected to OceanLotus threat group

OceanLotus has been linked to attacks against human rights organizations, researchers, and more.

A new backdoor which affects the Apple Mac operating system has been discovered by researchers which claim there is a link to the OceanLotus threat group.

According to researchers from Trend Micro, the MacOS backdoor is a persistent, encrypted sample of malware used for surveillance and data collection.

In a blog post on Wednesday, the cybersecurity firm said the backdoor, identified as OSX_OCEANLOTUS.D, targets MacOS systems which have the Perl programming language installed.

The backdoor was discovered in a malicious Microsoft Windows Word document which has likely been distributed via email, potentially through spear and phishing campaigns.

The document has been crafted to appear from HDMC, a Vietnamese organization which was established to promote national independence and democracy.

If the document is opened by a potential victim, the user is asked to enable macros, which triggers the backdoor. The maco is obfuscated, and analysis has shown that executing the file will result in a dropper and malicious .xml file being downloaded into system folders.

Trend Micro says that the dropper's task is to install the backdoor into the MacOS system and maintain persistence. Each string in the dropper is encrypted using a hardcoded RSA256 key.

The dropper is able to perform whether or not the victim is logged in as root, and will simply tweak the download file paths depending on the situation. Malicious files downloaded and installed to enable persistence will ensure the malware loads at startup -- including the backdoor -- and their attributes are also set to hidden with a random date and time to avoid detection.

Once its tasks are complete, the dropper will delete itself so not to arouse suspicion.

The MacOS backdoor has two primary functions. The infoClient process collects information relating to the operating system, submits data to the malware's command control (C&C) servers, and also recieves instructions from the malware's operators. Information sent to the C&C server is both scrambled and encrypted and is decoded on the other side.

The second process, runHandle, is responsible for maintaining the backdoor.

Trend Micro believes the backdoor is the work of OceanLotus, also known as SeaLotus and Cobalt Kitty.

OceanLotus has been linked to attacks against human rights organizations, media organizations, research institutes, maritime construction firms, and other corporate targets.

See also: Cyberattack disrupted Baltimore emergency responders

According to ESET, OceanLotus is likely operating out of Asia and has set its sights not only on high-profile Vietnamese targets, but corporate and government groups based in the Philippines, Laos, and Cambodia.

Volexity has worked with a number of human rights and civil society organizations in these areas which appear to have all been targeted by the threat actors since 2015.

Previous and related coverage