|Col1|Home|Categories|Col4| |---|---|---|---| Search: #### Home Categories [Home » Targeted Attacks » New MacOS Backdoor Linked to OceanLotus Found](https://blog.trendmicro.com/trendlabs-security-intelligence/) #### Featured Stories # New MacOS Backdoor Linked to OceanLotus Found systemd Vulnerability Leads to Denial of Service on Linux **[Posted on: April 4, 2018](https://blog.trendmicro.com/trendlabs-security-intelligence/2018/04/)** at 9:00 am **[Posted in: Targeted Attacks](https://blog.trendmicro.com/trendlabs-security-intelligence/category/targeted_attacks/)** qkG Filecoder: Self-Replicating, Document- **[Author: Jaromir Horejsi (Threat Researcher)](https://blog.trendmicro.com/trendlabs-security-intelligence/author/jaromirh/)** Encrypting Ransomware We identified a MacOS backdoor (detected by Trend Micro as OSX_OCEANLOTUS.D) that we believe is the latest version of Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability [a threat used by OceanLotus (a.k.a. APT 32, APT-C-00,](https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/) [SeaLotus, and Cobalt Kitty). OceanLotus was responsible for](https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/) [A Closer Look at North Korea’s Internet](http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-north-koreas-internet/) launching targeted attacks against human rights organizations, media organizations, research institutes, and maritime [From Cybercrime to Cyberpropaganda](http://blog.trendmicro.com/trendlabs-security-intelligence/from-cybercrime-to-cyberpropaganda/) construction firms. The attackers behind OSX_OCEANLOTUS.D target MacOS computers which have the Perl programming #### Security Predictions for 2018 language installed. The MacOS backdoor was found in a malicious Word document presumably distributed via email. The document bears the filename “2018-PHIẾU GHI DANH THAM DỰ TĨNH HỘI HMDC 2018.doc,” which translates to _“2018-REGISTRATION FORM OF HMDC ASSEMBLY 2018.doc.” The document claims to be a_ [registration form for an event with HDMC, an organization in Vietnam that advertises national](https://changevietnam.wordpress.com/2017/06/23/hmdc-thong-cao-bao-chi/) ----- users and enterprises to catch up with their security. [Read our security predictions for 2018.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2018) #### Business Process Compromise _Figure 1. Graphic used by the malicious document_ Upon receiving the malicious document, the user is advised to enable macros. In our analysis, the Attackers are starting to invest in long- macro is obfuscated, character by character, using the decimal ASCII code. This is shown in the term operations that target specific processes enterprises rely on. They figure below. scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise. #### Recent Posts New MacOS Backdoor Linked to OceanLotus Found _Figure 2. Code snippet of the obfuscated document_ [Cryptocurrency Web Miner Script Injected into AOL](https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-web-miner-script-injected-into-aol-advertising-platform/) After deobfuscation, we can see that the payload is written in the Perl programming language. It Advertising Platform extracts theme0.xml file from the Word document. theme0.xml is a Mach-O 32-bit executable with a 0xFEEDFACE signature that is also the dropper of the backdoor, which is the final payload. [ChessMaster Adds Updated Tools to Its Arsenal](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/) _theme0.xml is extracted to /tmp/system/word/theme/syslogd before it’s executed._ Monero-Mining HiddenMiner Android Malware Can Potentially Cause Device Failure A Closer Look at Unpopular Software Downloads and the Risks They Pose to Organizations ----- Homemade Browser Targeting Banco do Brasil Users Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia Monero-Mining HiddenMiner Android Malware Can Potentially Cause Device Failure Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers _Figure 3. Deobfuscated Perl payload from the delivery document_ [Tropic Trooper’s New Strategy](https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/) **_Dropper analysis_** #### Stay Updated The dropper is used to install the backdoor into the infected system and establish its persistence. Email Subscription Your email here Subscribe _Figure 4. The main function of the dropper_ All strings within the dropper, as well as the backdoor, are encrypted using a hardcoded RSA256 key. There are two forms of encrypted strings: an RSA256-encrypted string, and custom base64- encoded and RSA256-encrypted string. ----- _Figure 5. Hardcoded RSA256 key showing the first 20 characters_ Using the setStartup() method, the dropper first checks if it is running as a root or not. Based on that, the GET_PROCESSPATH and GET_PROCESSNAME methods will decrypt the hardcoded path and filename where the backdoor should be installed. The locations: For root user path: /Library/CoreMediaIO/Plug-Ins/FCP-DAL/iOSScreenCapture.plugin/Contents/Resources/ processname: screenassistantd For regular user path: ~/Library/Spelling/ processname: spellagentd Subsequently, it implements the Loader::installLoader method, reading the hardcoded 64-bit Mach-O executable (magic value 0xFEEDFACF), and writing to the previously determined path and file. ----- [to random values using the touch command: touch –t YYMMDDMM “/path/filename” > /dev/null.](https://www.mkssoftware.com/docs/man1/touch.1.asp) The access permissions will then be changed to 0x1ed = 755, which is equal to u=rwx,go=rx. _Figure 7. The magic value 0xFEEDFACF that belongs to Mach-O Executable (64 bit)_ _Methods GET_LAUNCHNAME and GET_LABELNAME will return the hardcoded name of the_ property list “.plist” for the root user (com.apple.screen.assistantd.plist) and for the regular user (com.apple.spell.agent.plist). Afterwards, the persistence file will be created in /Library/LaunchDaemons/ or _~/Library/LaunchAgents/ folder. The RunAtLoad key will command launchd to run the daemon_ when the operating system starts up, while the KeepAlive key will command launchd to let the process run indefinitely. This persistence file is also set to hidden with a randomly generated file date and time. _Figure 8. Property list with persistence settings_ ----- **_Backdoor analysis_** The main loop of the backdoor has two main functions, infoClient and runHandle. infoClient is reponsible for collecting OS info, submitting this info to its C&C servers (the servers are malicious in nature), and receiving additional C&C communication information. Meanwhile, runHandle is responsible for the backdoor capabilities. _Figure 9. The main functions of the backdoor_ _infoClient fills up the variables in HandlePP class._ _Figure 10. List of variables belonging to the HandlePP class_ _clientID is an MD5 hash derived from the environment variables, while strClientID is a hexadecimal_ representation of clientID. All strings below are encrypted via AES256 and base64 encoding. The _HandlePP::getClientID method uses the following environment variables:_ ----- _Figure 13. MAC address_ _Figure 14. Randomly generated UUID_ For the initial information packet, the backdoor also collects the following: _Figure 15. OS version_ Running getpwuid ->pw_name , scutil – -get ComputerName, and uname –m will provide the following returns respectively: Mac OSX 10.12. System Administrator ’s iMac x86_64 All these data are scrambled and encrypted before sending to the C&C server. The process is detailed below: 1. Scrambling Class Parser has several methods, one for each variable type – Parser::inBytes, Parser::inByte, _Parser::inString, and Parser::inInt._ _Figure 16. Parser::inBytes method_ If clientID equals the following sequence of bytes B4 B1 47 BC 52 28 28 73 1F 1A 01 6B FA 72 C0 73, then the scrambled version is computed using the third parameter (0x10), which is treated as a DWORD. Each quadruple of bytes is XOR-ed with it, as shown in example below. ----- Figure 17. Parser::inByte method When scrambling one byte, the scrambler first determines if the byte value is odd or even. If the value is odd, it adds the byte, along with one more randomly generated byte, to the array. In the case of an even value, the randomly generated byte is added first, followed by the byte being added. In the case above, the third parameter is ‘1’ = 0x31, which is an odd number. This means that it adds byte ‘1’ and one randomly generated byte to the final scrambled array. _Figure 18. Parser::inString method_ When scrambling a string, the scrambler generates a 5-byte long sequence. First, it generates one random byte, followed by three zero bytes, one random byte, and finally, the byte with the length of the string. Let’s say we want to scramble string ‘Mac OSX 10.12.’ Its length is 13 = 0x0d, and the two random bytes are 0xf3 and 0x92. The final 5-byte sequence looks like F3 00 00 00 92 0D. The original string is then XOR’ed with the 5-byte sequence. _Figure 19. Scrambling ‘Mac OSX 10.12’_ 2. Encryption The scrambled byte sequence is passed onto the constructor of the class Packet::Packet, which creates a random AES256 key and encrypts the buffer with this key. 3. Encoding the encryption key ----- _Figure 20. Function for scrambling AES256 key in the outgoing packet_ Some screenshots taken during scrambling and encryption process: _Figure 21. The highlighted bytes represent the scrambled computer info_ _Figure 22. Randomly generated AES256 key_ _Figure 23. Scrambled AES256 key (0xC1 XOR 0x13 = 0xD2, 0xD2 ROL 6 = 0xB4) etc.)_ _Figure 24. Computer info encrypted with AES256 key_ ----- _generated noise._ When the backdoor receives the response from the C&C server, the final payload needs to be decoded again in a similar manner via decryption and scrambling. Packet::getData decrypts the received payload and Converter::outString descrambles the result. The received data from the C&C server include the following information: _HandlePP::urlRequest (/appleauth/static/cssj/N252394295/widget/auth/app.css)_ _HandlePP::keyDecrypt_ _STRINGDATA::BROWSER_SESSION_ID (m_pixel_ratio)_ _STRINGDATA::RESOURCE_ID_ These data will be later used in the C&C communication, as shown in the Wireshark screenshot below. _Figure 26. Communication with the C&C server after the exchange of OS packet info_ Meanwhile, the runHandle method of the main backdoor loop will call for the requestServer method with the following backdoor commands (each command has one byte long code and is extracted by Packet::getCommand): _Figure 27. The getCommand method_ The figure below shows the example of two of several possible command codes. Both create one ----- _Figure 28. Commands used for downloading and executing, and running a command in terminal_ _Figure 29. Commands used in uploading and downloading file_ _Figure 30. Supported commands and their respective codes_ **_Mitigation_** Malicious attacks targeting Mac devices are not as common as its counterparts, but the discovery of this new MacOS backdoor that is presumably distributed via phishing email calls for every user [to adopt best practices for phishing attacks regardless of operating system.](http://www.trendmicro.com.ph/vinfo/ph/security/news/cybercrime-and-digital-threats/best-practices-identifying-and-mitigating-phishing-attacks) ----- across any user activity and any endpoint. **_Indicators of Compromise (IoCs)_** **C&C servers** Ssl[.]arkouthrie[.]com s3[.]hiahornber[.]com widget[.]shoreoa[.]com **SHA256** Delivery document (W2KM_OCEANLOTUS.A): 2bb855dc5d845eb5f2466d7186f150c172da737bfd9c7f6bc1804e0b8d20f22a Dropper (OSX_OCEANLOTUS.D): 4da8365241c6b028a13b82d852c4f0155eb3d902782c6a538ac007a44a7d61b4 Backdoor (OSX_OCEANLOTUS.D): 673ee7a57ba3c5a2384aeb17a66058e59f0a4d0cddc4f01fe32f369f6a845c8f ## Related Posts: **[Backdoor-carrying Emails Set Sights on Russian-speaking Businesses](https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/)** **[SYSCON Backdoor Uses FTP as a C&C Channel](https://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/)** **[October macOS Patch Fixes FAT/USB Vulnerability](https://blog.trendmicro.com/trendlabs-security-intelligence/october-macos-patch-fixes-fatusb-vulnerability/)** **[OSX Malware Linked to Operation Emmental Hijacks User Network Traffic](https://blog.trendmicro.com/trendlabs-security-intelligence/osx_dok-mac-malware-emmental-hijacks-user-network-traffic/)** ----- Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: [ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html) » [SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html) » [HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html) » Tags: [MacOS backdoor](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/macos-backdoor/) [OceanLotus](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/oceanlotus/) ----- [HOME AND HOME OFFICE |](http://www.trendmicro.com/us/home/index.html) [FOR BUSINESS](http://www.trendmicro.com/us/business/index.html) | [SECURITY INTELLIGENCE |](http://www.trendmicro.com/us/security-intelligence/index.html) [ABOUT TREND MICRO](http://www.trendmicro.com/us/about-us/index.html) [Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣](http://www.trendmicro.com.au/au/home/index.html) [Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html) [North America Region (NABU): United States, Canada](http://www.trendmicro.com/us/index.html) [Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schw eiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/) [Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html) Copyright © 2018 Trend Micro Incorporated. All rights reserved. -----