OceanLotus has been active since 2013 and has launched attacks against media, research, and construction companies. Recently, the group targeted Apple macOS users in a hacking operation.
The group used a backdoor (identified as Backdoor.MacOS.OCEANLOTUS.F), which is an updated version of their previous backdoor, and now it includes new behavior and domain names.
- The backdoor spreads via an application bundled in a Zip archive. It uses an icon of a Word document file to disguise itself, in an attempt to look like a legitimate document file.
- Another method it uses to avoid detection is by adding special characters to its app bundle name. In addition, the application bundle contains two files: a shell script and a Word document.
- Once the app is executed, the backdoor launches a second-stage payload that drops a third-stage payload before erasing itself. The third-stage payload uses custom encryption.
Other recent incidents
OceanLotus (aka APT32) has been very active for almost a year and several new revelations have been made by various research agencies in the past few weeks.
- A few weeks ago, the group was found targeting Vietnamese expatriates in Germany using tactics such as spear-phishing, watering holes, and others.
- The APT actor has been associated with a series of fake news websites and Facebook pages targeting victims with malicious software for the past year.
Threat actors are actively updating their older malware with new features and improving persistence capabilities. Thus, experts recommend macOS users to avoid clicking on links or downloading attachments from emails from unknown sources. In addition, regular patching of software and applications is suggested.