OSX_OCEANLOTUS.D is a MacOS backdoor with several variants that has been used by APT32.[1][2]
Name | Description |
---|---|
Backdoor.MacOS.OCEANLOTUS.F |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
OSX_OCEANLOTUS.D can use HTTP POST and GET requests to send and receive C2 information.[2] |
Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.[1][2] |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
OSX_OCEANLOTUS.D uses PowerShell scripts.[1] |
.004 | Command and Scripting Interpreter: Unix Shell |
OSX_OCEANLOTUS.D uses a shell script as the main executable inside an app bundle and drops an embedded base64-encoded payload to the |
||
.005 | Command and Scripting Interpreter: Visual Basic |
OSX_OCEANLOTUS.D uses Word macros for execution.[1] |
||
Enterprise | T1543 | .001 | Create or Modify System Process: Launch Agent |
OSX_OCEANLOTUS.D can create a persistence file in the folder |
.004 | Create or Modify System Process: Launch Daemon |
If running with |
||
Enterprise | T1005 | Data from Local System |
OSX_OCEANLOTUS.D has the ability to upload files from a compromised host.[2] |
|
Enterprise | T1222 | File and Directory Permissions Modification |
OSX_OCEANLOTUS.D has changed permissions of a second-stage payload to an executable via |
|
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.[1] |
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.[1][2] |
.006 | Indicator Removal on Host: Timestomp |
OSX_OCEANLOTUS.D can use the |
||
Enterprise | T1105 | Ingress Tool Transfer |
OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[1][2] |
|
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
OSX_OCEANLOTUS.D has disguised its app bundle by adding special characters to the filename and using the icon for legitimate Word documents.[2] |
Enterprise | T1027 | Obfuscated Files or Information |
OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.[1] |
|
.002 | Software Packing |
OSX_OCEANLOTUS.D has a variant that is packed with UPX.[5] |
||
Enterprise | T1553 | .001 | Subvert Trust Controls: Gatekeeper Bypass |
OSX_OCEANLOTUS.D uses the command |
Enterprise | T1082 | System Information Discovery |
OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the |
|
Enterprise | T1016 | System Network Configuration Discovery |
OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host.[1][2] |
|
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
OSX_OCEANLOTUS.D has variants that check a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as |
ID | Name | References |
---|---|---|
G0050 | APT32 |