Skip to main content

OceanLotus macOS Backdoor

The OceanLotus advanced persistent threat group has developed a new backdoor that can take control of macOS devices.

Threat ID:
CC-3690
Category:
Backdoor
Threat Severity:
Low
Threat Vector:
Download
Published:
3 December 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

The OceanLotus advanced persistent threat group has developed a new backdoor that can take control of macOS devices.

Affected platforms

The following platforms are known to be affected:

Versions: All versions

macOS

Threat details

Introduction

The OceanLotus advanced persistent threat group, also known as APT32, has developed a new backdoor that can take control of macOS devices.

Delivery

OceanLotus has been observed delivering malware using malicious websites. This backdoor is packaged as an app bundled in a Zip archive, but it uses the Microsoft Word icon and '.doc' extension to disguise itself as a legitimate document.

Activities

When the app bundle is opened it executes a shell script automatically. This extracts the second-stage payload and changes access permissions to launch it.

The second stage drops the third-stage payload to ~/Library/User Photos/mount_devfs and ensures it will run automatically at login by installing a LaunchAgent in ~/Library/LaunchAgents/com.apple.marcoagent.voiceinstallerd.plist

The third stage collects system information and communicates with command and control (C2) servers. The capabilities include downloading and executing additional files, stealing data and running terminal commands.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

Domains

  • idtpl[.]org
  • mihannevis[.]com
  • mykessef[.]com
Host indicators

SHA256 hashes

  • cfa3d506361920f9e1db9d8324dfbb3a9c79723e702d70c3dc8f51825c171420
  • 48e3609f543ea4a8de0c9375fa665ceb6d2dfc0085ee90fa22ffaced0c770c4f
  • 05e5ba08be06f2d0e2da294de4c559ca33c4c28534919e5f2f6fc51aed4956e3
  • fd7e51e3f3240b550f0405a67e98a97d86747a8a07218e8150d2c2946141f737

Last edited: 3 December 2020 3:25 pm