OSX_OCEANLOTUS.D is a MacOS backdoor with several variants that has been used by APT32.[1][2]

ID: S0352
Associated Software: Backdoor.MacOS.OCEANLOTUS.F
Platforms: macOS
Version: 2.0
Created: 30 January 2019
Last Modified: 02 December 2020

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

OSX_OCEANLOTUS.D can use HTTP POST and GET requests to send and receive C2 information.[2]

Enterprise T1560 Archive Collected Data

OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.[1][2]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

OSX_OCEANLOTUS.D uses Word macros for execution.[1]

.001 Command and Scripting Interpreter: PowerShell

OSX_OCEANLOTUS.D uses PowerShell scripts.[1]

.004 Command and Scripting Interpreter: Unix Shell

OSX_OCEANLOTUS.D can use shell script to execute malicious code.[2]

Enterprise T1543 .004 Create or Modify System Process: Launch Daemon

OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchDaemons.[1]

.001 Create or Modify System Process: Launch Agent

OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents.[1][2]

Enterprise T1005 Data from Local System

OSX_OCEANLOTUS.D has the ability to upload files from a compromised host..[2]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

OSX_OCEANLOTUS.D has a command to delete a file from the system.[1][2]

.006 Indicator Removal on Host: Timestomp

OSX_OCEANLOTUS.D can use the touch command to change timestamps.[2]

Enterprise T1105 Ingress Tool Transfer

OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[1][2]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

OSX_OCEANLOTUS.D has disguised its app bundle by adding special characters to the filename and using the icon for legitimate Word documents.[2]

Enterprise T1027 Obfuscated Files or Information

OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.[1]

.002 Software Packing

OSX_OCEANLOTUS.D has a variant that is packed with UPX.[3]

Enterprise T1553 .001 Subvert Trust Controls: Gatekeeper Bypass

OSX_OCEANLOTUS.D can delete the file quarantine attribute.[2]

Enterprise T1082 System Information Discovery

OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version.[1][2]

Enterprise T1016 System Network Configuration Discovery

OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host.[1][2]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

OSX_OCEANLOTUS.D has a variant that checks a number of system parameters to see if it is being run on real hardware or in a virtual machine environment.[3]

Groups That Use This Software

ID Name References
G0050 APT32