Apple users are at risk of new malware targeting macOS. Discovered by Trend Micro researchers, the campaign is connected to the OceanLotus hacking group, most likely associated with the Vietnamese government.
The hacking group targets foreign organizations in Vietnam, such as media, research, and construction. The attacks are most likely performed with cyber-espionage in mind, although researchers say that the hackers’ motives are obscure.
The new malware is a macOS backdoor that provides attackers with access to steal confidential information. Trend Micro linked the findings to OceanLotus due to similarities in the code of the malware. The code was compared to samples of previous campaigns.
We recently discovered a new backdoor we believe to be related to the OceanLotus group. Some of the updates of this new variant (detected by Trend Micro as Backdoor.MacOS.OCEANLOTUS.F) include new behavior and domain names. As of writing, this sample is still undetected by other antimalware solutions, the company wrote in their report.
New macOS Backdoor Linked to OceanLotus Hackers
The attack starts with a phishing email tricking the target to run a Zip file concealed as a Word document. The file bypasses AV detection by utilizing specific characters hidden deep inside a series of Zip folders. This is how Trend Micro explains it:
Another technique it uses to evade detection is adding special characters to its app bundle name. When a user looks for the fake doc folder via the macOS Finder app or the terminal command line, the folder’s name shows “ALL tim nha Chi Ngoc Canada.doc” (“tìm nhà Chị Ngọc” roughly translates to “find Mrs. Ngoc’s house”). However, checking the original Zip file that contains the folder shows 3 unexpected bytes between “.” and “doc”.
macOS sees the app bundle as an unsupported directory type. Since the default action is to use the “open” command, the malicious app is executed. “Otherwise, if the postfix is .doc without special characters, Microsoft Word is called to open the app bundle as a document; but since it is not a valid document, the app fails to open it,” the researchers add.
It is noteworthy that the new macOS backdoor capabilities are similar to those of the old OceanLotus sample.
In October, security researchers linked another malware, known as Kraken, to the OceanLotus hackers. Because the hard-coded target URL of the malware was taken down while the researchers were doing the analysis, it was nearly impossible to attribute the attack to a particular threat group. However, some elements of the Kraken attack are reminiscent of the Vietnamese group.
The OceanLotus malware has been focused on infecting specific networks in targeted attack campaigns. The criminal group carries out campaigns against corporate businesses and government agencies in Asia: Laos, Cambodia, Vietnam, and the Philippines.