OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using .dylib files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (root or user).[1][2][3]

ID: S0352
Associated Software: Backdoor.MacOS.OCEANLOTUS.F
Type: MALWARE
Platforms: macOS
Version: 3.0
Created: 30 January 2019
Last Modified: 12 October 2023

Associated Software Descriptions

Name Description
Backdoor.MacOS.OCEANLOTUS.F

[3]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

OSX_OCEANLOTUS.D can also use use HTTP POST and GET requests to send and receive C2 information.[3]

Enterprise T1560 .002 Archive Collected Data: Archive via Library

OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.[2][3]

.003 Archive Collected Data: Archive via Custom Method

OSX_OCEANLOTUS.D has used AES in CBC mode to encrypt collected data when saving that data to disk.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

OSX_OCEANLOTUS.D uses PowerShell scripts.[2]

.004 Command and Scripting Interpreter: Unix Shell

OSX_OCEANLOTUS.D uses a shell script as the main executable inside an app bundle and drops an embedded base64-encoded payload to the /tmp folder.[3][4]

.005 Command and Scripting Interpreter: Visual Basic

OSX_OCEANLOTUS.D uses Word macros for execution.[2]

Enterprise T1543 .001 Create or Modify System Process: Launch Agent

OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents.[2][3]

.004 Create or Modify System Process: Launch Daemon

If running with root permissions, OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchDaemons.[2][4]

Enterprise T1132 .001 Data Encoding: Standard Encoding

OSX_OCEANLOTUS.D has used zlib to compress all data after 0x52 for the custom TCP C2 protocol.[1]

Enterprise T1005 Data from Local System

OSX_OCEANLOTUS.D has the ability to upload files from a compromised host.[3]

Enterprise T1140 Deobfuscate/Decode Files or Information

OSX_OCEANLOTUS.D uses a decode routine combining bit shifting and XOR operations with a variable key that depends on the length of the string that was encoded. If the computation for the variable XOR key turns out to be 0, the default XOR key of 0x1B is used. This routine is also referenced as the rotate function in reporting.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

OSX_OCEANLOTUS.D encrypts data sent back to the C2 using AES in CBC mode with a null initialization vector (IV) and a key sent from the server that is padded to 32 bytes.[1]

Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

OSX_OCEANLOTUS.D has changed permissions of a second-stage payload to an executable via chmod.[4]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.[2]

Enterprise T1070 .004 Indicator Removal: File Deletion

OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.[2][3][1]

.006 Indicator Removal: Timestomp

OSX_OCEANLOTUS.D can use the touch -t command to change timestamps.[3][5]

Enterprise T1105 Ingress Tool Transfer

OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[2][3]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

OSX_OCEANLOTUS.D uses file naming conventions with associated executable locations to blend in with the macOS TimeMachine and OpenSSL services. Such as, naming a LaunchAgent plist file com.apple.openssl.plist which executes OSX_OCEANLOTUS.D from the user's ~/Library/OpenSSL/ folder upon user login.[1]

.008 Masquerading: Masquerade File Type

OSX_OCEANLOTUS.D has disguised it's true file structure as an application bundle by adding special characters to the filename and using the icon for legitimate Word documents.[3]

Enterprise T1095 Non-Application Layer Protocol

OSX_OCEANLOTUS.D has used a custom binary protocol over port 443 for C2 traffic.[1]

Enterprise T1571 Non-Standard Port

OSX_OCEANLOTUS.D has used a custom binary protocol over TCP port 443 for C2.[1]

Enterprise T1027 Obfuscated Files or Information

OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.[2]

.002 Software Packing

OSX_OCEANLOTUS.D has a variant that is packed with UPX.[6]

Enterprise T1129 Shared Modules

For network communications, OSX_OCEANLOTUS.D loads a dynamic library (.dylib file) using dlopen() and obtains a function pointer to execute within that shared library using dlsym().[1]

Enterprise T1553 .001 Subvert Trust Controls: Gatekeeper Bypass

OSX_OCEANLOTUS.D uses the command xattr -d com.apple.quarantine to remove the quarantine file attribute used by Gatekeeper.[3][5]

Enterprise T1082 System Information Discovery

OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the ioreg command to gather some of this information.[2][3][5]

Enterprise T1016 System Network Configuration Discovery

OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host.[2][3]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

OSX_OCEANLOTUS.D checks a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as sysctl hw.model and the kernel boot time.[1][6][5]

Groups That Use This Software

ID Name References
G0050 APT32

[2][7]

References