We recently discovered a new backdoor we believe to be related to the OceanLotus group. Some of the updates of this new variant (detected by Trend Micro as Backdoor.MacOS.OCEANLOTUS.F) include new behaviour and domain names. As of writing, this sample is still undetected by other antimalware solutions.
Due to similarities in dynamic behaviour and code with previous OceanLotus samples, it was confirmed to be a variant of the said malware.
OceanLotus was responsible for targeted attacks against organisations from industries such as media, research, and construction. Recently they have also been discovered by researchers from Volexity to be using malicious websites to propagate malware.
The attackers behind this sample are suspected to target users from Vietnam since the document’s name is in Vietnamese and the older samples targeted the same region before.
Arrival
The sample arrives as an app bundled in a Zip archive. It uses the icon for a Word document file as a disguise, attempting to pass itself off as a legitimate document file.
Another technique it uses to evade detection is adding special characters to its app bundle name. When a user looks for the fake doc folder via the macOS Finder app or the terminal command line, the folder's name shows "ALL tim nha Chi Ngoc Canada.doc" (“tìm nhà Chị Ngọc” roughly translates to “find Mrs. Ngoc’s house”). However, checking the original Zip file that contains the folder shows 3 unexpected bytes between "." and "doc".
The 3 bytes "efb880" is in UTF-8 encoding. According to UTF-8 mapping, the related Unicode code is "U+FE00".
Code point |
First byte |
Second byte |
Third byte |
Fourth byte |
U+0000 to U+007F |
0xxxxxxx |
|
|
|
U+0080 to U+07FF |
110xxxxx |
10xxxxxx |
|
|
U+0800 to U+FFFF |
1110xxxx |
10xxxxxx |
10xxxxxx |
|
U+10000 to U+10FFFF |
11110xxx |
10xxxxxx |
10xxxxxx |
10xxxxxx |
Table 1. UTF-8 mapping
"U+FE00" is a special Unicode control character with name variation selector-1, which provides the visual appearance of a CJK compatibility ideograph. In this case, the preceding character is the general character ".", so the variation selector does not change the visual appearance.
The operating system sees the app bundle as an unsupported directory type, so as a default action the “open” command is used to execute the malicious app. Otherwise, if the postfix is.doc without special characters, Microsoft Word is called to open the app bundle as a document; but since it is not a valid document, the app fails to open it.
Here is the code signing information for the app bundle sample.
The app bundle contains two notable files:
- ALL tim nha Chi Ngoc Canada: The shell script containing the main malicious routines
- configureDefault.def: The word file displayed during execution
When the shell script was run, it performed the following routines:
1) Delete the file quarantine attribute for the files in "*ALL tim nha Chi Ngoc Canada.?doc*”
2) Attempt to remove file quarantine attribute of the files in the system.
3) Copy "ALL tim nha Chi Ngoc Canada.?doc/Contents/Resources/configureDefault.def(doc)" to "/tmp/ALL tim nha Chi Ngoc Canada.doc(doc)"
4) Open "/tmp/ALL tim nha Chi Ngoc Canada.doc(doc)"
5) Extract the b64-encoded fat binary to "ALL tim nha Chi Ngoc Canada.?doc/Contents/Resources/configureDefault.def(fat - binary)", which is the second-stage payload
6) Change access permission of second-stage payload to execute the launch of the second-stage payload
7) Delete the malware app bundle "ALL tim nha Chi Ngoc Canada.?doc"
8) Copy "/tmp/ALL tim nha Chi Ngoc Canada.doc(doc)" to "{execution directory}/ALL tim nha Chi Ngoc Canada.doc"
9) Delete "/tmp/ALL tim nha Chi Ngoc Canada.doc"
Second-stage payload
When executed, the second stage payload (ALL tim nha Chi Ngoc Canada.?doc/Contents/Resources/configureDefault.def) performs the following malware routines:
1) Drop third-stage payload to ~/Library/User Photos/mount_devfs
2) Create persistence for the sample by creating ~/Library/LaunchAgents/com.apple.marcoagent.voiceinstallerd.plist
3) Use the touch command to change the timestamp of the sample
4) Delete itself
Third-stage payload
In the third-stage payload (~/Library/User Photos/mount_devfs), the strings are encrypted with custom encryption using base64 encoding and byte manipulation.
Like older versions of the OceanLotus backdoor, the new version contains two main functions: one for collecting operating system information and submitting this to its malicious C&C servers and receiving additional C&C communication information, and another for the backdoor capabilities.
It collects the following information from the infected system by invoking the following commands:
Command |
Description |
system_profiler SPHardwareDataType 2>/dev/null | awk '/Processor / {split($0,line,\":\"); printf(\"%s\",line[2]);}' |
Get processor information |
15f20 = system_profiler SPHardwareDataType 2>/dev/null | awk '/Memory/ {split($0,line, \":\"); printf(\"%s\", line[2]);}'
|
Get memory information
|
ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, \"\\\"\"); printf(\"%s\", line[4]); }
|
Get serial number
|
ifconfig -l ifconfig <device> | awk '/ether /{print $2}' 2>&1
|
Get network interface MAC addresses
|
Table 2. OceanLotus commands and descriptions
The collected information is encrypted and sent to the malware C&C server.
It also receives commands from the same server.
Here are the C&C servers used by the malware:
- mihannevis[.]com
- mykessef[.]com
- idtpl[.]org
The new variant’s backdoor capabilities are similar to those of the old OceanLotus sample, as detailed in the code excerpts below:
Below are the supported commands and their respective codes (taken from an earlier blog post that covered OceanLotus).
0x33 |
Get file size |
0xe8 |
Exit |
0xa2 |
Download and execute a file |
0xac |
Run command in terminal |
0x48 |
Remove file |
0x72 |
Upload file |
0x23 |
Download file |
0x3c |
Download file |
0x07 |
Get configuration info |
0x55 |
Empty response, heartbeat packet |
Table 3. Supported commands and their respective codes
Details about C&C domain names
According to its Google and Whois history, the mihannevis[.]com domain was used to host other websites in the past before it was changed to a C&C server around the end of August 2020.
In VirusTotal, some related URL queries appeared at the end of August.
The domain "mykessef[.]com" was used for the C&C server earlier.
The domain name "idtpl[.]org" was registered three years ago, and there was no update history. According to Whois lookup, its register expired at the end of March 2020.
But from the middle of July 2020, its IP address changed to 185[.]117[.]88[.]91.
Recommendations
Threat groups such as OceanLotus are actively updating malware variants in attempts to evade detection and improve persistence. The following best practices can be applied to defend against malware:
- Never click links or download attachments from emails coming from suspicious sources
- Regularly patch and update software and applications
- Use security solutions suitable for your operating system
To protect systems operating on macOS, we recommend Trend Micro Home Security for Mac, which offers comprehensive and multi-device protection against malware and other cyberthreats.
Indicators of Compromise
SHA-256 |
Filename/Description |
Trend Micro Pattern Detection |
cfa3d506361920f9e1db9d8324dfbb3a9c79723e702d70c3dc8f51825c171420 |
ALL%20tim%20nha%20Chi%20Ngoc%20Canada.zip |
Backdoor.MacOS.OCEANLOTUS.F |
48e3609f543ea4a8de0c9375fa665ceb6d2dfc0085ee90fa22ffaced0c770c4f |
ALL tim nha Chi Ngoc Canada |
Backdoor.SH.OCEANLOTUS.F |
05e5ba08be06f2d0e2da294de4c559ca33c4c28534919e5f2f6fc51aed4956e3 |
2nd stage fat binary |
Backdoor.MacOS.OCEANLOTUS.F |
fd7e51e3f3240b550f0405a67e98a97d86747a8a07218e8150d2c2946141f737 |
3rd stage fat binary |
Backdoor.MacOS.OCEANLOTUS.F |
Domains
- mihannevis[.]com
- mykessef[.]com
- idtpl[.]org
MITRE TTP
Tactic |
ID |
Name |
Description |
Defense Evasion |
File Deletion |
The app bundle and dropper delete themselves after execution |
|
Linux and Mac File and Directory Permissions Modification |
The backdoor changes the permission of the file it wants to execute to +x |
||
Obfuscated Files or Information |
Readable strings were encrypted |
||
Masquerading: Match Legitimate Name or Location |
The app bundle is disguised as a doc file to trick users into executing it |
||
Indicator Removal on Host: Timestomp |
The backdoor modifies the date and time of the dropped files using the “touch” command |
||
Discovery |
System Information Discovery |
The backdoor collects various information to send to the C&C server |
|
Collection |
Archive Collected Data: Archive via Custom Method |
The backdoor encrypts the data before exfiltration |
|
Command and Control |
Non-Application Layer Protocol |
Like previous samples, performs backdoor routines based on C&C data |