Mac OS Backdoor Discovered

Friday, April 6, 2018 @ 12:04 PM gHale

A Mac OS backdoor is targeting high-profile corporate and government organizations in Southeast Asia, researchers said.

Also known as APT 32, APT-C-00, SeaLotus, and Cobalt Kitty, the backdoor called OceanLotus is believed to be operating out of Vietnam and has been targeting high-profile corporate and government organizations in Southeast Asia, said researchers at Trend Micro.

RELATED STORIES
Apple Patches Multiple Products
Privacy Bug in iOS, Fix En Route
Mac Malware Continues Huge Increase
Apple Releases Device OS Updates

Some of the group’s targets include human rights organizations, media organizations, research institutes, and maritime construction firms.

This backdoor was on systems with the Perl programming language installed, said Trend Micro Threat Researcher Jaromir Horejsi in a blog post.
https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/

The malware is going out via malicious documents attached to emails. The document masquerades as the registration form for an event with HDMC, an organization in Vietnam that advertises national independence and democracy.

The document contains malicious, obfuscated macros with a payload written in Perl. The macro extracts an XML file from the Word document. This file is an executable acting as the dropper for the final payload, which is the backdoor.

“Upon receiving the malicious document, the user is advised to enable macros,” Horejsi said in the post. “In our analysis, the macro is obfuscated, character by character, using the decimal ASCII code.”

The dropper, which has all of its strings encrypted using a hardcoded RSA256 key, is also used to establish the backdoor’s persistence on the infected systems. The dropper checks whether it runs as root or not, and uses different path and filename based on that.

The dropper sets the backdoor’s attributes to “hidden” and uses random values for the file date and time, and deletes itself at the end of the process.

“The main loop of the backdoor has two main functions, infoClient and runHandle,” Horejsi said. “infoClient is reponsible for collecting OS info, submitting this info to its C&C servers (the servers are malicious in nature), and receiving additional C&C communication information. Meanwhile, runHandle is responsible for the backdoor capabilities.”



Leave a Reply

You must be logged in to post a comment.