OSX_OCEANLOTUS.D is a MacOS backdoor with several variants that has been used by APT32.[1][2]

ID: S0352
Associated Software: Backdoor.MacOS.OCEANLOTUS.F
Platforms: macOS
Version: 2.2
Created: 30 January 2019
Last Modified: 14 January 2022

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

OSX_OCEANLOTUS.D can use HTTP POST and GET requests to send and receive C2 information.[2]

Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.[1][2]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

OSX_OCEANLOTUS.D uses PowerShell scripts.[1]

.004 Command and Scripting Interpreter: Unix Shell

OSX_OCEANLOTUS.D uses a shell script as the main executable inside an app bundle and drops an embedded base64-encoded payload to the /tmp folder.[2][3]

.005 Command and Scripting Interpreter: Visual Basic

OSX_OCEANLOTUS.D uses Word macros for execution.[1]

Enterprise T1543 .001 Create or Modify System Process: Launch Agent

OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents.[1][2]

.004 Create or Modify System Process: Launch Daemon

If running with root permissions, OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchDaemons.[1][3]

Enterprise T1005 Data from Local System

OSX_OCEANLOTUS.D has the ability to upload files from a compromised host.[2]

Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

OSX_OCEANLOTUS.D has changed permissions of a second-stage payload to an executable via chmod.[3]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.[1][2]

.006 Indicator Removal: Timestomp

OSX_OCEANLOTUS.D can use the touch -t command to change timestamps.[2][4]

Enterprise T1105 Ingress Tool Transfer

OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[1][2]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

OSX_OCEANLOTUS.D has disguised its app bundle by adding special characters to the filename and using the icon for legitimate Word documents.[2]

Enterprise T1027 Obfuscated Files or Information

OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.[1]

.002 Software Packing

OSX_OCEANLOTUS.D has a variant that is packed with UPX.[5]

Enterprise T1553 .001 Subvert Trust Controls: Gatekeeper Bypass

OSX_OCEANLOTUS.D uses the command xattr -d com.apple.quarantine to remove the quarantine file attribute used by Gatekeeper.[2][4]

Enterprise T1082 System Information Discovery

OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the ioreg command to gather some of this information.[1][2][4]

Enterprise T1016 System Network Configuration Discovery

OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host.[1][2]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

OSX_OCEANLOTUS.D has variants that check a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as sysctl hw.model.[5][4]

Groups That Use This Software

ID Name References
G0050 APT32