OSX_OCEANLOTUS.D
OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using .dylib files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (root or user).[1][2][3]
Associated Software Descriptions
| Name | Description |
|---|---|
| Backdoor.MacOS.OCEANLOTUS.F |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
OSX_OCEANLOTUS.D has the ability to upload files from a compromised host.[3] |
|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
OSX_OCEANLOTUS.D uses file naming conventions with associated executable locations to blend in with the macOS TimeMachine and OpenSSL services. Such as, naming a LaunchAgent plist file |
| .008 | 伪装: Masquerade File Type |
OSX_OCEANLOTUS.D has disguised it's true file structure as an application bundle by adding special characters to the filename and using the icon for legitimate Word documents.[3] |
||
| Enterprise | T1129 | 共享模块 |
For network communications, OSX_OCEANLOTUS.D loads a dynamic library ( |
|
| Enterprise | T1543 | .001 | 创建或修改系统进程: Launch Agent |
OSX_OCEANLOTUS.D can create a persistence file in the folder |
| .004 | 创建或修改系统进程: Launch Daemon |
If running with |
||
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
OSX_OCEANLOTUS.D encrypts data sent back to the C2 using AES in CBC mode with a null initialization vector (IV) and a key sent from the server that is padded to 32 bytes.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
OSX_OCEANLOTUS.D uses a decode routine combining bit shifting and XOR operations with a variable key that depends on the length of the string that was encoded. If the computation for the variable XOR key turns out to be 0, the default XOR key of 0x1B is used. This routine is also referenced as the |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
OSX_OCEANLOTUS.D uses PowerShell scripts.[2] |
| .004 | 命令与脚本解释器: Unix Shell |
OSX_OCEANLOTUS.D uses a shell script as the main executable inside an app bundle and drops an embedded base64-encoded payload to the |
||
| .005 | 命令与脚本解释器: Visual Basic |
OSX_OCEANLOTUS.D uses Word macros for execution.[2] |
||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
OSX_OCEANLOTUS.D can also use use HTTP POST and GET requests to send and receive C2 information.[3] |
| Enterprise | T1560 | .002 | 归档收集数据: Archive via Library |
OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.[2][3] |
| .003 | 归档收集数据: Archive via Custom Method |
OSX_OCEANLOTUS.D has used AES in CBC mode to encrypt collected data when saving that data to disk.[1] |
||
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
OSX_OCEANLOTUS.D has used |
| Enterprise | T1222 | .002 | 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification |
OSX_OCEANLOTUS.D has changed permissions of a second-stage payload to an executable via |
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing |
OSX_OCEANLOTUS.D has a variant that is packed with UPX.[5] |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.[2] |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.[2][3][1] |
| .006 | 移除指标: Timestomp |
OSX_OCEANLOTUS.D can use the |
||
| Enterprise | T1082 | 系统信息发现 |
OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the |
|
| Enterprise | T1016 | 系统网络配置发现 |
OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host.[2][3] |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
OSX_OCEANLOTUS.D checks a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as |
| Enterprise | T1105 | 输入工具传输 |
OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[2][3] |
|
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.[2] |
| Enterprise | T1095 | 非应用层协议 |
OSX_OCEANLOTUS.D has used a custom binary protocol over port 443 for C2 traffic.[1] |
|
| Enterprise | T1571 | 非标准端口 |
OSX_OCEANLOTUS.D has used a custom binary protocol over TCP port 443 for C2.[1] |
|
| Enterprise | T1553 | .001 | 颠覆信任控制: Gatekeeper Bypass |
OSX_OCEANLOTUS.D uses the command |
Groups That Use This Software
References
- Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
- Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
- Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
- Phil Stokes. (2020, December 2). APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique. Retrieved September 13, 2021.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
- Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.