Register to stream ATT&CKcon 2.0 October 29-30

OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D is a MacOS backdoor that has been used by APT32.[1]

ID: S0352
Type: MALWARE
Platforms: macOS
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface OSX_OCEANLOTUS.D can run commands through a terminal on the victim’s machine. [1]
Enterprise T1022 Data Encrypted OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server. [1]
Enterprise T1107 File Deletion OSX_OCEANLOTUS.D has a command to delete a file from the system. [1]
Enterprise T1158 Hidden Files and Directories OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden. [1]
Enterprise T1159 Launch Agent OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents. [1]
Enterprise T1160 Launch Daemon OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchDaemons. [1]
Enterprise T1027 Obfuscated Files or Information OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR. [1]
Enterprise T1105 Remote File Copy OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine. [1]
Enterprise T1064 Scripting OSX_OCEANLOTUS.D uses macros for execution as well as VBS and PowerShell scripts. [1]
Enterprise T1082 System Information Discovery OSX_OCEANLOTUS.D collects the MAC address, computer name, hardware UUID, serial number, and operating system version. [1]

Groups That Use This Software

ID Name References
G0050 APT32 [1]

References