Story image

OceanLotus backdoor targets MacOS systems running PERL

09 Apr 2018

The OceanLotus backdoor is now targeting MacOS systems in its latest spate of attacks, and this time it is using a fake event registration form from a Vietnamese organization to do so.

The backdoor is targeting MacOS users who have installed the Perl programming language, according to researchers at Trend Micro.

The backdoor is distributed via an email attachment, which claims to be an event registration form from HDMC, a Vietnam-based organization that advocates democracy and national independence.

“Upon receiving the malicious document, the user is advised to enable macros. In our analysis, the macro is obfuscated, character by character, using the decimal ASCII code.”

They discovered that the payload is written in Perl, suggesting that the backdoor is specifically targeting users with PERL activated.

Once installed, the backdoor can run indefinitely. It is able to collect information about the operating system and allow hackers remote control to the system through the command & control server.

“Malicious attacks targeting Mac devices are not as common as its counterparts, but the discovery of this new MacOS backdoor that is presumably distributed via phishing email calls for every user to adopt best practices for phishing attacks regardless of operating system,” Trend Micro says.

The OceanLotus threat group has been prevalent in Asia and is also known as APT32. The group often targets government and private networks in Vietnam, Cambodia, Laos, and the Philippines.

Last month ESET detected OceanLotus campaigns that mimicked Vietnam telecommunications firm Saigontel. It also detected fake curriculum vitae documents.

The fake documents are used to distribute the backdoor, however the group also uses other methods including fake installers. One installer involved a repackaged Mozilla Firefox installer.

“Multiple layers of in-memory operations and a side-loading technique are used to execute Oceanlotus latest full-featured backdoor,” commented ESET researchers at the time.

They note the the OceanLotus group is skilled at disguising its operations and still manages to convince victims to install the backdoor.

“The encryption of the payload, together with the side-loading technique – despite its age – is a good way to stay under the radar, since the malicious activities look like they come from the legitimate application,” ESET researchers note.

OceanLotus launched Operation Cobalt Kitty last year, which went after an Asian-based firm’s top-level management.

"Ocean Lotus’ activities demonstrate its intention to remain hidden by picking its targets carefully, but ESET’s research has brought to light the true extent of its intended activites,’ ESET concludes.

ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.