OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D is a MacOS backdoor that has been used by APT32.[1]

ID: S0352
Type: MALWARE
Platforms: macOS
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

OSX_OCEANLOTUS.D can run commands through a terminal on the victim’s machine.[1]

Enterprise T1022 Data Encrypted

OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.[1]

Enterprise T1107 File Deletion

OSX_OCEANLOTUS.D has a command to delete a file from the system.[1]

Enterprise T1158 Hidden Files and Directories

OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.[1]

Enterprise T1159 Launch Agent

OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents.[1]

Enterprise T1160 Launch Daemon

OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchDaemons.[1]

Enterprise T1027 Obfuscated Files or Information

OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.[1]

Enterprise T1105 Remote File Copy

OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[1]

Enterprise T1064 Scripting

OSX_OCEANLOTUS.D uses macros for execution as well as VBS and PowerShell scripts.[1]

Enterprise T1045 Software Packing

OSX_OCEANLOTUS.D has a variant that is packed with UPX.[2]

Enterprise T1082 System Information Discovery

OSX_OCEANLOTUS.D collects the MAC address, computer name, hardware UUID, serial number, and operating system version.[1]

Enterprise T1497 Virtualization/Sandbox Evasion

OSX_OCEANLOTUS.D has a variant that checks to see if it is being run in a virtual machine environment or connected to a debugger.[2]

Groups That Use This Software

ID Name References
G0050 APT32 [1]

References