Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Vietnam-Linked Cyberspies Use New macOS Backdoor in Attacks

Trend Micro’s security researchers have identified a new macOS backdoor that they believe is used by the Vietnamese threat actor OceanLotus.

Trend Micro’s security researchers have identified a new macOS backdoor that they believe is used by the Vietnamese threat actor OceanLotus.

Also referred to as APT-C-00 and APT32, and believed to be well-resourced and determined, OceanLotus has been observed mainly targeting government and corporate entities in Southeast Asia. Earlier this year, the group engaged in COVID-19 espionage attacks targeting China.

Compared to previous malware variants associated with OceanLotus, the newly discovered sample shows similarities in dynamic behavior and code, clearly suggesting a link to the threat actor.

A document used in the campaign features a Vietnamese name, which has led researchers to believe that users from Vietnam have been targeted with the new malware.

The observed sample masquerades as a Word document but it is an app bundled in a ZIP archive, which features special characters in its name, in an attempt to evade detection.

The app bundle, Trend Micro explains, is seen by the operating system as an unsupported directory type, meaning that the ‘open’ command is used to execute it.

Within the app bundle, the security researchers discovered two files, namely a shell script that performs multiple malicious routines, and a Word file that is displayed during execution.

The shell script is responsible for deleting the file quarantine attribute for the files in the bundle and for removing the file quarantine attribute of files in the system, copying the Word document to a temp directory and opening it, extracting the second-stage binary and changing its access permissions, then deleting the malware app bundle and the Word document from the system.

Advertisement. Scroll to continue reading.

As for the second stage payload, it is responsible for dropping a third-stage payload, creating persistence, changing the timestamp of the sample using the touch command, and deleting itself.

Featuring encrypted strings, the third-stage payload contains two main functions, for collecting and sending operating system information to the command and control (C&C) servers, for receiving additional communication information, and for performing backdoor activities.

Similar to older OceanLotus samples, the backdoor can perform various operations based on received commands: get file size, fetch and run file, remove/download/upload file, exit, run commands in the terminal, and get configuration information.

Trend Micro, which also analyzed some of the C&C domains used by the new sample, recommends that all organizations train employees to refrain from clicking on links or downloading attachments coming from suspicious sources, keeping operating systems and applications updated, and employing security solutions to stay protected.

Related: PhantomLance: Vietnamese Cyberspies Targeted Android Users for Years

Related: Vietnamese Hackers Mount COVID-19 Espionage Campaigns Against China

Related: Researchers Analyze Vietnamese Hackers’ Suite of RATs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.