The OceanLotus group, also known as APT32 and APT-C-00, is infamous for its campaigns targeting the eastern part of Asia. It has been active since 2013 and targeted media, research, and construction companies for attack with backdoor. Recently, the group targeted Apple macOS users in a hacking operation.
What happened?
The group used a updated backdoor version (identified as Backdoor.MacOS.OCEANLOTUS.F), that includes new behavior and domain names.
- The backdoor uses an application bundled in a Zip archive. It uses an icon of a Word document file to disguise itself, which is actually a legitimate document file.
- Another method is used by adding special characters to its app bundle name to avoid detection. In addition, the application bundle contains two files: a shell script and a Word document.
- Once the app is executed, the malware launches a second-stage payload (ALL tim nha Chi Ngoc canada doc/Contents/Resources/configureDefault.def) which in turn drops a third-stage payload before deleting itself.
Other recent incidents
OceanLotus (aka APT32) has been very active for almost a year and several new revelations have been made by various research agencies in the past few weeks.
- A few weeks ago, the group targeted Vietnamese expatriates in Germany using tactics such as spear-phishing, watering holes, and others.
- The APT actor targeting victims with malicious software since the past year. This APT actor is associated with a series of fake news websites and Facebook pages.
Conclusion
Threat actors are improving persistence capabilities actively with updated malware and new features. Thus, experts recommend macOS users to check the sources of links or downloading attachments from emails. If the source is unknown then it’s better to avoid those sources. In addition, regular patching of software and applications is suggested.
