S0352 OSX_OCEANLOTUS.D
OSX_OCEANLOTUS.D is a MacOS backdoor with several variants that has been used by APT32.12
| Item | Value |
|---|---|
| ID | S0352 |
| Associated Names | Backdoor.MacOS.OCEANLOTUS.F |
| Type | MALWARE |
| Version | 2.2 |
| Created | 30 January 2019 |
| Last Modified | 14 January 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Backdoor.MacOS.OCEANLOTUS.F | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | OSX_OCEANLOTUS.D can use HTTP POST and GET requests to send and receive C2 information.2 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.003 | Archive via Custom Method | OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | OSX_OCEANLOTUS.D uses PowerShell scripts.1 |
| enterprise | T1059.004 | Unix Shell | OSX_OCEANLOTUS.D uses a shell script as the main executable inside an app bundle and drops an embedded base64-encoded payload to the /tmp folder.24 |
| enterprise | T1059.005 | Visual Basic | OSX_OCEANLOTUS.D uses Word macros for execution.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.001 | Launch Agent | OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents.12 |
| enterprise | T1543.004 | Launch Daemon | If running with root permissions, OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchDaemons.14 |
| enterprise | T1005 | Data from Local System | OSX_OCEANLOTUS.D has the ability to upload files from a compromised host.2 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.002 | Linux and Mac File and Directory Permissions Modification | OSX_OCEANLOTUS.D has changed permissions of a second-stage payload to an executable via chmod.4 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.12 |
| enterprise | T1070.006 | Timestomp | OSX_OCEANLOTUS.D can use the touch -t command to change timestamps.23 |
| enterprise | T1105 | Ingress Tool Transfer | OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.12 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | OSX_OCEANLOTUS.D has disguised its app bundle by adding special characters to the filename and using the icon for legitimate Word documents.2 |
| enterprise | T1027 | Obfuscated Files or Information | OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.1 |
| enterprise | T1027.002 | Software Packing | OSX_OCEANLOTUS.D has a variant that is packed with UPX.5 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.001 | Gatekeeper Bypass | OSX_OCEANLOTUS.D uses the command xattr -d com.apple.quarantine to remove the quarantine file attribute used by Gatekeeper.23 |
| enterprise | T1082 | System Information Discovery | OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the ioreg command to gather some of this information.123 |
| enterprise | T1016 | System Network Configuration Discovery | OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host.12 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | OSX_OCEANLOTUS.D has variants that check a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as sysctl hw.model.53 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0050 | APT32 | 16 |
References
-
Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. ↩↩↩↩
-
Phil Stokes. (2020, December 2). APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique. Retrieved September 13, 2021. ↩↩↩
-
Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019. ↩↩
-
Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021. ↩