A new variant of the OceanLotus backdoor was detected by researchers in Palo Alto Networks in their recent WildFire cloud analysis platform. Paloalto’s Unit 42 reported that this new variant is developed by the same Vietnamese group who released its precedent in 2015 and is one of the most sophisticated backdoors seen in macOS to date as it employs a decoy document, string encoding, custom binary protocol traffic with encryption, and a modularized backdoor; all while abstaining from using any revealing command-line utilities.
So, how does it work?
Using one of the oldest tricks in the book, the cybercriminals are distributing the backdoor via a zip file in an email attachment. Once extracted, the zip file shows a directory that contains what looks like a completely harmless Microsoft Word document, but in fact is an application bundle which include executable code.
Context menu and file listing
Upon the opening of the document, the Trojan is unleashed. The malware distracts the user by displaying a password-protected document since the user did indeed click on a document icon and expects to see one. The malware then sets persistence by creating a Launch Agent that runs on host start-up and copying itself to a different location and file name. Finally, the malware deletes the application bundle from the extracted path leaving the safe decoy document and launches itself as service from the new directory.
The OceanLotus backdoor maintains a low AV detection rate since its discovery in 2015, however this iteration shows notable differences from its precedent such as the use of the decoy document to disguise the Trojan, a method that is more common among malware on Windows systems. The cybercriminals also use a customized binary protocol for communicating as opposed to the usual web server. They chose the well-known port 443 since its use for HTTPS connection will make blocking it by firewalls highly unlikely.
The authors of this backdoor iteration show deep understanding of the macOS. For a start, they were able to trick the OS into believing the folder containing the decoy document file is an application bundle despite the obvious .docx extension. However, their expertise is distinguished as they abstained from including command-line utilities or any suspicious strings. This serves two purposes: hiding their real motive as there will be no hints as to what the malware is doing to the victim and keeping their malware under the radar as a static analysis will reveal the malware to be less dubious than it really is.
According to SCmagazine, the Vietnamese ATP OceanLotus is linked to various malicious campaigns in Vietnam targeting multiple Vietnamese and foreign-owned corporations during recent years. With the kind of sophistication and patience this group shows, all we can say for now is: Be careful when downloading attachments, you never know what’s hiding in there.
Gatekeeper is the security feature of Mac OS X that protects users from malicious applications and code execution on their Mac computers. It warns Mac users from installing unsigned apps or the ones downloaded through an unencrypted connection. Gatekeeper does an efficient job of preventing the installation of Trojans and applications with malicious codes. However, […] Continue reading →
A malware has always been a major threat to devices, data and user accounts; but the threat increase manifold when a malware is more subtle and deep rooted like the one in an app creation tool! Such threats are real and already exist. XcodeGhost is an example of such malware. The counterfeit Xcode, termed as […] Continue reading →
Mark Dowd, the head of Australia based Azimuth security has stated that there is a vulnerability in AirDrop, the file sharing service of Apple which allows unauthorized access to the device that can be used for the installation of malware. A user with an AirDrop configuration allowing file sharing with anyone and not merely their […] Continue reading →
Author : Arun Hegde , Security Architect @arun25 Here is a quick summary about my experience at RSA Conference 2014 – San Francisco last month Highlights of RSA 2014 : Some of the highlights at this year at RSA was cloud security, mobile security ( specially for enterprise), more companies providing SIEM solutions and lot of new […] Continue reading →
Its almost sounded unbelievable when Kaspersky research published a cyber espionage APT campaign MASK (Careto) that’s been running in the wild since 2007, undetected, targeting 31 countries. The complexity of the tools used for MAST by the attackers are very sophisticated which makes its very special. This includes an extremely sophisticated piece of malware, a […] Continue reading →
GameOver Zeus is a notorious malware family that makes fraudulent transactions from your bank accounts from the infected host. A new variant of GameOver Zeus uses encryption to hide itself while propagation which makes it almost impossible to be detected by modern day antivirus. The malware encrypts itself so well that it can pass the […] Continue reading →
iOS 7 release was a major news for Apple users. Its unbelievable to see how many users want the cool new Operating system. This is always the fun part every year when something new comes from Apple. This time its for the new powerful Apple iOS7 release on September 18th. As reported on SANS, the […] Continue reading →
Vulnerability Lab researchers have discovered a second version of a vulnerability that lets a hacker slip past a lock screen to access a user’s contact list, voicemails and many more. In reality this is a flaw but can only be exploited provided the device is with hacker’s hands. This cannot work from remote execution […] Continue reading →
Apple users have had the luxury of lower number of infections so far compared to other platforms. Dr Web, a Russian antivirus company discovers a fake installer trojan.SMSSend. Trojan.SMSSend.3666 is the Mac variant within the Trojan.SMSSend family of fake installers. These kind of Trojans have been infecting Windows users for years. These appear to be legitimate […] Continue reading →