S0352 OSX_OCEANLOTUS.D
OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using .dylib files. OSX_OCEANLOTUS.D can also determine it’s permission level and execute according to access type (root or user).123
| Item | Value |
|---|---|
| ID | S0352 |
| Associated Names | Backdoor.MacOS.OCEANLOTUS.F |
| Type | MALWARE |
| Version | 3.1 |
| Created | 30 January 2019 |
| Last Modified | 11 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Backdoor.MacOS.OCEANLOTUS.F | 3 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | OSX_OCEANLOTUS.D can also use use HTTP POST and GET requests to send and receive C2 information.3 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.002 | Archive via Library | OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.23 |
| enterprise | T1560.003 | Archive via Custom Method | OSX_OCEANLOTUS.D has used AES in CBC mode to encrypt collected data when saving that data to disk.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | OSX_OCEANLOTUS.D uses PowerShell scripts.2 |
| enterprise | T1059.004 | Unix Shell | OSX_OCEANLOTUS.D uses a shell script as the main executable inside an app bundle and drops an embedded base64-encoded payload to the /tmp folder.34 |
| enterprise | T1059.005 | Visual Basic | OSX_OCEANLOTUS.D uses Word macros for execution.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.001 | Launch Agent | OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents.23 |
| enterprise | T1543.004 | Launch Daemon | If running with root permissions, OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchDaemons.24 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | OSX_OCEANLOTUS.D has used zlib to compress all data after 0x52 for the custom TCP C2 protocol.1 |
| enterprise | T1005 | Data from Local System | OSX_OCEANLOTUS.D has the ability to upload files from a compromised host.3 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | OSX_OCEANLOTUS.D uses a decode routine combining bit shifting and XOR operations with a variable key that depends on the length of the string that was encoded. If the computation for the variable XOR key turns out to be 0, the default XOR key of 0x1B is used. This routine is also referenced as the rotate function in reporting.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | OSX_OCEANLOTUS.D encrypts data sent back to the C2 using AES in CBC mode with a null initialization vector (IV) and a key sent from the server that is padded to 32 bytes.1 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.002 | Linux and Mac File and Directory Permissions Modification | OSX_OCEANLOTUS.D has changed permissions of a second-stage payload to an executable via chmod.4 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.231 |
| enterprise | T1070.006 | Timestomp | OSX_OCEANLOTUS.D can use the touch -t command to change timestamps.36 |
| enterprise | T1105 | Ingress Tool Transfer | OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.23 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | OSX_OCEANLOTUS.D uses file naming conventions with associated executable locations to blend in with the macOS TimeMachine and OpenSSL services. Such as, naming a LaunchAgent plist file com.apple.openssl.plist which executes OSX_OCEANLOTUS.D from the user’s ~/Library/OpenSSL/ folder upon user login.1 |
| enterprise | T1036.008 | Masquerade File Type | OSX_OCEANLOTUS.D has disguised it’s true file structure as an application bundle by adding special characters to the filename and using the icon for legitimate Word documents.3 |
| enterprise | T1095 | Non-Application Layer Protocol | OSX_OCEANLOTUS.D has used a custom binary protocol over port 443 for C2 traffic.1 |
| enterprise | T1571 | Non-Standard Port | OSX_OCEANLOTUS.D has used a custom binary protocol over TCP port 443 for C2.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | OSX_OCEANLOTUS.D has a variant that is packed with UPX.5 |
| enterprise | T1027.013 | Encrypted/Encoded File | OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.2 |
| enterprise | T1129 | Shared Modules | For network communications, OSX_OCEANLOTUS.D loads a dynamic library (.dylib file) using dlopen() and obtains a function pointer to execute within that shared library using dlsym().1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.001 | Gatekeeper Bypass | OSX_OCEANLOTUS.D uses the command xattr -d com.apple.quarantine to remove the quarantine file attribute used by Gatekeeper.36 |
| enterprise | T1082 | System Information Discovery | OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the ioreg command to gather some of this information.236 |
| enterprise | T1016 | System Network Configuration Discovery | OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host.23 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | OSX_OCEANLOTUS.D checks a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as sysctl hw.model and the kernel boot time.156 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0050 | APT32 | 27 |
References
-
Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023. ↩↩↩↩↩↩↩↩↩↩↩
-
Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Phil Stokes. (2020, December 2). APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique. Retrieved September 13, 2021. ↩↩↩
-
Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019. ↩↩
-
Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. ↩↩↩↩
-
Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021. ↩