OceanLotus group adds updated macOS malware to its arsenal

• The latest release of the macOS malware saw several changes such as new C2 servers and an external file transfer library.
• Backdoor functions of the malware remained the same as evident in earlier versions except for a few modifications.

A new version of the macOS malware used by OceanLotus group has been identified by researchers from ESET. Security researcher Romain Dumont from ESET detailed their observations in a blog on Tuesday.

The latest version of the macOS malware was found sporting more features than its earlier versions. In fact, this version underwent a structural change and was harder to detect in infected systems.

Worth noting

• The C2 servers now used by the malware were created six months ago, as compared to older version which communicated with different C2 servers.
• Packets sent to the C2 server contained more information regarding the host machine.
• The new version also comes with an external library. But, this could not be studied in detail by the researchers since the dropper of this malware was not available.
• Just like previous variants, the strings in the malware were encrypted with AES-256-CBC with the CCCrypt function. However, the keys used for the encryption were changed.

Automation could unearth more

In the blog, Dumont also indicated that the decryption of this new OceanLotus malware could be automated which might reveal more about the malware.

“The (encryption) key has changed from previous versions but since the group is still using the same algorithm to encrypt strings, decryption could be automated. Along with this article, we are releasing an IDA script leveraging the Hex-Rays API to decrypt the strings present in the binary. This script may help future analysis of OceanLotus and the analysis of existing samples that we have not yet been able to obtain,” Dumont wrote.

Further technical analysis can be found in the ESET blog.