Her researchers Trend Micro have identified a new one macOS backdoor who believe it is used by hacking Vietnam team, OceanLotus.
The group is also known as APT-C-00 and APT32 and mainly targets governments and Companies at Southeast Asia. Earlier this year, the team performed espionage campaigns about him COVID-19:, in order to China.
The new macOS backdoor has some common features (in code and behavior) with others malware of OceanLotus, which shows that it is indeed associated with this group.
The sample observed by the researchers is presented as Word document, but it is a application contained in a ZIP file, which has special characters in its name, in an attempt to avoid detection.
According to Trend Micro, the app bundle is considered by the operating system as an unsupported directory type. The "open" command is used to execute it.
Inside the app bundle, researchers discovered two archives, one shell script that performs many malicious functions and a Word file that appears when running.
The shell script is responsible for many things, such as deleting the quarantine file attribute for bundle files and removing the quarantine file attribute in the system, copying the Word document to a temp directory, opening it, and exporting a second-stage binary. The shell script then changes the permissions and deletes the malware app bundle and the Word document from the system.
As for the second stage payload, it is responsible for installing a third payload, staying on the infected system, change the sample timestamp using the touch command and delete it.
The third payload contains two basic functions for collecting and sending operating system information to C&C servers, for to obtain additional contact information and to perform backdoor activities.
Like previous OceanLotus malware, this macOS backdoor can perform various functions based on the commands received: file size download, file download and execution, file removal / download / upload, output, command execution, and configuration information download.
Trend Micro recommends to all organizations to train them employees so as not to open links or attachments from suspicious sources. It is also necessary regular updating of systems and applications and use of reliable programs security.
Source: Security Week