OSX_OCEANLOTUS.D
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| Backdoor.MacOS.OCEANLOTUS.F | (Citation: Trend Micro MacOS Backdoor November 2020) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
OSX_OCEANLOTUS.D can also use use HTTP POST and GET requests to send and receive C2 information.(Citation: Trend Micro MacOS Backdoor November 2020) |
| Enterprise | T1560 | .002 | Archive Collected Data: Archive via Library |
OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020) |
| .003 | Archive Collected Data: Archive via Custom Method |
OSX_OCEANLOTUS.D has used AES in CBC mode to encrypt collected data when saving that data to disk.(Citation: Unit42 OceanLotus 2017) |
||
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
OSX_OCEANLOTUS.D uses PowerShell scripts.(Citation: TrendMicro MacOS April 2018) |
| .004 | Command and Scripting Interpreter: Unix Shell |
OSX_OCEANLOTUS.D uses a shell script as the main executable inside an app bundle and drops an embedded base64-encoded payload to the |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
OSX_OCEANLOTUS.D uses Word macros for execution.(Citation: TrendMicro MacOS April 2018) |
||
| Enterprise | T1543 | .001 | Create or Modify System Process: Launch Agent |
OSX_OCEANLOTUS.D can create a persistence file in the folder |
| .004 | Create or Modify System Process: Launch Daemon |
If running with |
||
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
OSX_OCEANLOTUS.D has used `zlib` to compress all data after 0x52 for the custom TCP C2 protocol.(Citation: Unit42 OceanLotus 2017) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
OSX_OCEANLOTUS.D encrypts data sent back to the C2 using AES in CBC mode with a null initialization vector (IV) and a key sent from the server that is padded to 32 bytes.(Citation: Unit42 OceanLotus 2017) |
| Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
OSX_OCEANLOTUS.D has changed permissions of a second-stage payload to an executable via |
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.(Citation: TrendMicro MacOS April 2018) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)(Citation: Unit42 OceanLotus 2017) |
| .006 | Indicator Removal: Timestomp |
OSX_OCEANLOTUS.D can use the |
||
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
OSX_OCEANLOTUS.D uses file naming conventions with associated executable locations to blend in with the macOS TimeMachine and OpenSSL services. Such as, naming a LaunchAgent plist file `com.apple.openssl.plist` which executes OSX_OCEANLOTUS.D from the user's `~/Library/OpenSSL/` folder upon user login.(Citation: Unit42 OceanLotus 2017) |
| .008 | Masquerading: Masquerade File Type |
OSX_OCEANLOTUS.D has disguised it's true file structure as an application bundle by adding special characters to the filename and using the icon for legitimate Word documents.(Citation: Trend Micro MacOS Backdoor November 2020) |
||
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
OSX_OCEANLOTUS.D has a variant that is packed with UPX.(Citation: ESET OceanLotus macOS April 2019) |
| .013 | Obfuscated Files or Information: Encrypted/Encoded File |
OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.(Citation: TrendMicro MacOS April 2018) |
||
| Enterprise | T1553 | .001 | Subvert Trust Controls: Gatekeeper Bypass |
OSX_OCEANLOTUS.D uses the command |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
OSX_OCEANLOTUS.D checks a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as `sysctl hw.model` and the kernel boot time.(Citation: Unit42 OceanLotus 2017)(Citation: ESET OceanLotus macOS April 2019)(Citation: 20 macOS Common Tools and Techniques) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0050 | APT32 |
(Citation: TrendMicro MacOS April 2018) (Citation: Amnesty Intl. Ocean Lotus February 2021) |
References
- Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
- Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
- Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
- Phil Stokes. (2020, December 2). APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique. Retrieved September 13, 2021.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
- Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.