Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент OSX_OCEANLOTUS.D
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
OSX_OCEANLOTUS.D
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D is a MacOS backdoor with several variants that has been used by APT32.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)
ID: S0352
Associated Software: Backdoor.MacOS.OCEANLOTUS.F
Type: MALWARE
Platforms: Windows
Version: 2.2
Created: 30 Jan 2019
Last Modified: 14 Jan 2022

Associated Software Descriptions
Name Description
Backdoor.MacOS.OCEANLOTUS.F (Citation: Trend Micro MacOS Backdoor November 2020)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

OSX_OCEANLOTUS.D can use HTTP POST and GET requests to send and receive C2 information.(Citation: Trend Micro MacOS Backdoor November 2020)
Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

OSX_OCEANLOTUS.D uses PowerShell scripts.(Citation: TrendMicro MacOS April 2018)
.004 Command and Scripting Interpreter: Unix Shell

OSX_OCEANLOTUS.D uses a shell script as the main executable inside an app bundle and drops an embedded base64-encoded payload to the /tmp folder.(Citation: Trend Micro MacOS Backdoor November 2020)(Citation: sentinelone apt32 macOS backdoor 2020)

.005 Command and Scripting Interpreter: Visual Basic

OSX_OCEANLOTUS.D uses Word macros for execution.(Citation: TrendMicro MacOS April 2018)

Enterprise T1543 .001 Create or Modify System Process: Launch Agent

OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)
.004 Create or Modify System Process: Launch Daemon

If running with root permissions, OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchDaemons.(Citation: TrendMicro MacOS April 2018)(Citation: sentinelone apt32 macOS backdoor 2020)

Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

OSX_OCEANLOTUS.D has changed permissions of a second-stage payload to an executable via chmod.(Citation: sentinelone apt32 macOS backdoor 2020)
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.(Citation: TrendMicro MacOS April 2018)
Enterprise T1070 .004 Indicator Removal: File Deletion

OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)
.006 Indicator Removal: Timestomp

OSX_OCEANLOTUS.D can use the touch -t command to change timestamps.(Citation: Trend Micro MacOS Backdoor November 2020)(Citation: 20 macOS Common Tools and Techniques)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

OSX_OCEANLOTUS.D has disguised its app bundle by adding special characters to the filename and using the icon for legitimate Word documents.(Citation: Trend Micro MacOS Backdoor November 2020)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

OSX_OCEANLOTUS.D has a variant that is packed with UPX.(Citation: ESET OceanLotus macOS April 2019)
Enterprise T1553 .001 Subvert Trust Controls: Gatekeeper Bypass

OSX_OCEANLOTUS.D uses the command xattr -d com.apple.quarantine to remove the quarantine file attribute used by Gatekeeper.(Citation: Trend Micro MacOS Backdoor November 2020)(Citation: 20 macOS Common Tools and Techniques)
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

OSX_OCEANLOTUS.D has variants that check a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as sysctl hw.model.(Citation: ESET OceanLotus macOS April 2019)(Citation: 20 macOS Common Tools and Techniques)

Groups That Use This Software
ID Name References
G0050 APT32

(Citation: TrendMicro MacOS April 2018) (Citation: Amnesty Intl. Ocean Lotus February 2021)

References

  1. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  2. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
  3. Phil Stokes. (2020, December 2). APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique. Retrieved September 13, 2021.
  4. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  5. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
  6. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.