OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D is a MacOS backdoor that has been used by APT32.[1]

ID: S0352
Type: MALWARE
Platforms: macOS

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceOSX_OCEANLOTUS.D can run commands through a terminal on the victim’s machine.[1]
EnterpriseT1022Data EncryptedOSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.[1]
EnterpriseT1107File DeletionOSX_OCEANLOTUS.D has a command to delete a file from the system.[1]
EnterpriseT1158Hidden Files and DirectoriesOSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.[1]
EnterpriseT1159Launch AgentOSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents.[1]
EnterpriseT1160Launch DaemonOSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchDaemons.[1]
EnterpriseT1027Obfuscated Files or InformationOSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.[1]
EnterpriseT1105Remote File CopyOSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[1]
EnterpriseT1064ScriptingOSX_OCEANLOTUS.D uses macros for execution as well as VBS and PowerShell scripts.[1]
EnterpriseT1082System Information DiscoveryOSX_OCEANLOTUS.D collects the MAC address, computer name, hardware UUID, serial number, and operating system version.[1]

Groups

Groups that use this software:

APT32

References