Security Experts:

Connect with us

Hi, what are you looking for?



Vietnam-Linked Cyberspies Use New macOS Backdoor in Attacks

Trend Micro’s security researchers have identified a new macOS backdoor that they believe is used by the Vietnamese threat actor OceanLotus.

Trend Micro’s security researchers have identified a new macOS backdoor that they believe is used by the Vietnamese threat actor OceanLotus.

Also referred to as APT-C-00 and APT32, and believed to be well-resourced and determined, OceanLotus has been observed mainly targeting government and corporate entities in Southeast Asia. Earlier this year, the group engaged in COVID-19 espionage attacks targeting China.

Compared to previous malware variants associated with OceanLotus, the newly discovered sample shows similarities in dynamic behavior and code, clearly suggesting a link to the threat actor.

A document used in the campaign features a Vietnamese name, which has led researchers to believe that users from Vietnam have been targeted with the new malware.

The observed sample masquerades as a Word document but it is an app bundled in a ZIP archive, which features special characters in its name, in an attempt to evade detection.

The app bundle, Trend Micro explains, is seen by the operating system as an unsupported directory type, meaning that the ‘open’ command is used to execute it.

Within the app bundle, the security researchers discovered two files, namely a shell script that performs multiple malicious routines, and a Word file that is displayed during execution.

The shell script is responsible for deleting the file quarantine attribute for the files in the bundle and for removing the file quarantine attribute of files in the system, copying the Word document to a temp directory and opening it, extracting the second-stage binary and changing its access permissions, then deleting the malware app bundle and the Word document from the system.

As for the second stage payload, it is responsible for dropping a third-stage payload, creating persistence, changing the timestamp of the sample using the touch command, and deleting itself.

Featuring encrypted strings, the third-stage payload contains two main functions, for collecting and sending operating system information to the command and control (C&C) servers, for receiving additional communication information, and for performing backdoor activities.

Similar to older OceanLotus samples, the backdoor can perform various operations based on received commands: get file size, fetch and run file, remove/download/upload file, exit, run commands in the terminal, and get configuration information.

Trend Micro, which also analyzed some of the C&C domains used by the new sample, recommends that all organizations train employees to refrain from clicking on links or downloading attachments coming from suspicious sources, keeping operating systems and applications updated, and employing security solutions to stay protected.

Related: PhantomLance: Vietnamese Cyberspies Targeted Android Users for Years

Related: Vietnamese Hackers Mount COVID-19 Espionage Campaigns Against China

Related: Researchers Analyze Vietnamese Hackers’ Suite of RATs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.