Recently the OceanLotus group which has been active since 2013 and has launched attacks against media, research, and construction companies is now targeting Apple macOS users in a hacking operation.
A backdoor was used by the threat group (identified as Backdoor.MacOS.OCEANLOTUS.F) which is an updated version of their previous backdoor, and now it includes new behavior and domain names.
- The backdoor is spread through an application bundled in a Zip archive. In an attempt to look like a legitimate document file, it uses an icon of a Word document file to disguise itself.
- As another alternative method to avoid detection it adds special characters to its app bundle name. The application bundle in addition contains two files – a shell script and a Word document.
- The backdoor launches a second-stage payload that drops a third-stage payload before erasing itself, once the app is executed. Custom encryption is used by the third stage payload.
Other Notable Incidents
Several new revelations have been made by various research agencies in the past few weeks, evidently declaring that OceanLotus aka APT32 being very active in the last year.
- The group was found to be targeting Vietnamese expatriates in Germany using tactics such as spear-phishing, watering holes, and others only a few weeks ago.
- For the past year, the APT actor has been associated with a series of fake news websites and Facebook pages targeting victims with malicious software.
Threat actors are updating their arsenal of malice and improving persistent capabilities. Hence, our internal experts recommend macOS users to avoid clicking on links or downloading attachments from emails from unknown sources. In addition, regular patching of software and applications is suggested.
To read more, please check eScan Blog
