OSX_OCEANLOTUS.D
OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using .dylib files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (root or user).[1][2][3]
Associated Software Descriptions
| Name | Description |
|---|---|
| Backdoor.MacOS.OCEANLOTUS.F |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
OSX_OCEANLOTUS.D can also use use HTTP POST and GET requests to send and receive C2 information.[3] |
| Enterprise | T1560 | .002 | Archive Collected Data: Archive via Library |
OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.[2][3] |
| .003 | Archive Collected Data: Archive via Custom Method |
OSX_OCEANLOTUS.D has used AES in CBC mode to encrypt collected data when saving that data to disk.[1] |
||
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
OSX_OCEANLOTUS.D uses PowerShell scripts.[2] |
| .004 | Command and Scripting Interpreter: Unix Shell |
OSX_OCEANLOTUS.D uses a shell script as the main executable inside an app bundle and drops an embedded base64-encoded payload to the |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
OSX_OCEANLOTUS.D uses Word macros for execution.[2] |
||
| Enterprise | T1543 | .001 | Create or Modify System Process: Launch Agent |
OSX_OCEANLOTUS.D can create a persistence file in the folder |
| .004 | Create or Modify System Process: Launch Daemon |
If running with |
||
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
OSX_OCEANLOTUS.D has used |
| Enterprise | T1005 | Data from Local System |
OSX_OCEANLOTUS.D has the ability to upload files from a compromised host.[3] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
OSX_OCEANLOTUS.D uses a decode routine combining bit shifting and XOR operations with a variable key that depends on the length of the string that was encoded. If the computation for the variable XOR key turns out to be 0, the default XOR key of 0x1B is used. This routine is also referenced as the |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
OSX_OCEANLOTUS.D encrypts data sent back to the C2 using AES in CBC mode with a null initialization vector (IV) and a key sent from the server that is padded to 32 bytes.[1] |
| Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
OSX_OCEANLOTUS.D has changed permissions of a second-stage payload to an executable via |
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.[2] |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.[2][3][1] |
| .006 | Indicator Removal: Timestomp |
OSX_OCEANLOTUS.D can use the |
||
| Enterprise | T1105 | Ingress Tool Transfer |
OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[2][3] |
|
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
OSX_OCEANLOTUS.D uses file naming conventions with associated executable locations to blend in with the macOS TimeMachine and OpenSSL services. Such as, naming a LaunchAgent plist file |
| .008 | Masquerading: Masquerade File Type |
OSX_OCEANLOTUS.D has disguised it's true file structure as an application bundle by adding special characters to the filename and using the icon for legitimate Word documents.[3] |
||
| Enterprise | T1095 | Non-Application Layer Protocol |
OSX_OCEANLOTUS.D has used a custom binary protocol over port 443 for C2 traffic.[1] |
|
| Enterprise | T1571 | Non-Standard Port |
OSX_OCEANLOTUS.D has used a custom binary protocol over TCP port 443 for C2.[1] |
|
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
OSX_OCEANLOTUS.D has a variant that is packed with UPX.[6] |
| .013 | Obfuscated Files or Information: Encrypted/Encoded File |
OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.[2] |
||
| Enterprise | T1129 | Shared Modules |
For network communications, OSX_OCEANLOTUS.D loads a dynamic library ( |
|
| Enterprise | T1553 | .001 | Subvert Trust Controls: Gatekeeper Bypass |
OSX_OCEANLOTUS.D uses the command |
| Enterprise | T1082 | System Information Discovery |
OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the |
|
| Enterprise | T1016 | System Network Configuration Discovery |
OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host.[2][3] |
|
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
OSX_OCEANLOTUS.D checks a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as |
Groups That Use This Software
References
- Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
- Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
- Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
- Phil Stokes. (2020, December 2). APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique. Retrieved September 13, 2021.
- Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.