OSX_OCEANLOTUS.D
OSX_OCEANLOTUS.D is a MacOS backdoor with several variants that has been used by APT32.[1][2]
Associated Software Descriptions
| Name | Description |
|---|---|
| Backdoor.MacOS.OCEANLOTUS.F |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
OSX_OCEANLOTUS.D can use HTTP POST and GET requests to send and receive C2 information.[2] |
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.[1][2] |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
OSX_OCEANLOTUS.D uses PowerShell scripts.[1] |
| .004 | Command and Scripting Interpreter: Unix Shell |
OSX_OCEANLOTUS.D uses a shell script as the main executable inside an app bundle and drops an embedded base64-encoded payload to the |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
OSX_OCEANLOTUS.D uses Word macros for execution.[1] |
||
| Enterprise | T1543 | .001 | Create or Modify System Process: Launch Agent |
OSX_OCEANLOTUS.D can create a persistence file in the folder |
| .004 | Create or Modify System Process: Launch Daemon |
If running with |
||
| Enterprise | T1005 | Data from Local System |
OSX_OCEANLOTUS.D has the ability to upload files from a compromised host.[2] |
|
| Enterprise | T1222 | File and Directory Permissions Modification |
OSX_OCEANLOTUS.D has changed permissions of a second-stage payload to an executable via |
|
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.[1] |
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.[1][2] |
| .006 | Indicator Removal on Host: Timestomp |
OSX_OCEANLOTUS.D can use the |
||
| Enterprise | T1105 | Ingress Tool Transfer |
OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[1][2] |
|
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
OSX_OCEANLOTUS.D has disguised its app bundle by adding special characters to the filename and using the icon for legitimate Word documents.[2] |
| Enterprise | T1027 | Obfuscated Files or Information |
OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.[1] |
|
| .002 | Software Packing |
OSX_OCEANLOTUS.D has a variant that is packed with UPX.[5] |
||
| Enterprise | T1553 | .001 | Subvert Trust Controls: Gatekeeper Bypass |
OSX_OCEANLOTUS.D uses the command |
| Enterprise | T1082 | System Information Discovery |
OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the |
|
| Enterprise | T1016 | System Network Configuration Discovery |
OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host.[1][2] |
|
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
OSX_OCEANLOTUS.D has variants that check a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0050 | APT32 |
References
- Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
- Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
- Phil Stokes. (2020, December 2). APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique. Retrieved September 13, 2021.
- Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.