OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D is a MacOS backdoor that has been used by APT32.[1]

ID: S0352
Type: MALWARE
Platforms: macOS
Version: 1.2
Created: 30 January 2019
Last Modified: 23 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1560 Archive Collected Data

OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.[1]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

OSX_OCEANLOTUS.D uses Word macros for execution.[1]

.001 Command and Scripting Interpreter: PowerShell

OSX_OCEANLOTUS.D uses PowerShell scripts.[1]

Enterprise T1543 .004 Create or Modify System Process: Launch Daemon

OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchDaemons.[1]

.001 Create or Modify System Process: Launch Agent

OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

OSX_OCEANLOTUS.D has a command to delete a file from the system.[1]

Enterprise T1105 Ingress Tool Transfer

OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[1]

Enterprise T1027 Obfuscated Files or Information

OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.[1]

.002 Software Packing

OSX_OCEANLOTUS.D has a variant that is packed with UPX.[2]

Enterprise T1082 System Information Discovery

OSX_OCEANLOTUS.D collects the MAC address, computer name, hardware UUID, serial number, and operating system version.[1]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

OSX_OCEANLOTUS.D has a variant that checks a number of system parameters to see if it is being run on real hardware or in a virtual machine environment.[2]

Groups That Use This Software

ID Name References
G0050 APT32

[1]

References