A new variant of the OceanLotus backdoor was detected by researchers in Palo Alto Networks in their recent WildFire cloud analysis platform. Paloalto’s Unit 42 reported that this new variant is developed by the same Vietnamese group who released its precedent in 2015 and is one of the most sophisticated backdoors seen in macOS to date as it employs a decoy document, string encoding, custom binary protocol traffic with encryption, and a modularized backdoor; all while abstaining from using any revealing command-line utilities.
So, how does it work?
Using one of the oldest tricks in the book, the cybercriminals are distributing the backdoor via a zip file in an email attachment. Once extracted, the zip file shows a directory that contains what looks like a completely harmless Microsoft Word document, but in fact is an application bundle which include executable code.
Upon the opening of the document, the Trojan is unleashed. The malware distracts the user by displaying a password-protected document since the user did indeed click on a document icon and expects to see one. The malware then sets persistence by creating a Launch Agent that runs on host start-up and copying itself to a different location and file name. Finally, the malware deletes the application bundle from the extracted path leaving the safe decoy document and launches itself as service from the new directory.
The OceanLotus backdoor maintains a low AV detection rate since its discovery in 2015, however this iteration shows notable differences from its precedent such as the use of the decoy document to disguise the Trojan, a method that is more common among malware on Windows systems. The cybercriminals also use a customized binary protocol for communicating as opposed to the usual web server. They chose the well-known port 443 since its use for HTTPS connection will make blocking it by firewalls highly unlikely.
The authors of this backdoor iteration show deep understanding of the macOS. For a start, they were able to trick the OS into believing the folder containing the decoy document file is an application bundle despite the obvious .docx extension. However, their expertise is distinguished as they abstained from including command-line utilities or any suspicious strings. This serves two purposes: hiding their real motive as there will be no hints as to what the malware is doing to the victim and keeping their malware under the radar as a static analysis will reveal the malware to be less dubious than it really is.
According to SCmagazine, the Vietnamese ATP OceanLotus is linked to various malicious campaigns in Vietnam targeting multiple Vietnamese and foreign-owned corporations during recent years. With the kind of sophistication and patience this group shows, all we can say for now is: Be careful when downloading attachments, you never know what’s hiding in there.