New MacOS Backdoor Connected to OceanLotus Surfaces
By By: Luis Magisa, Steven Du Nov 27, 2020 Read time: 5 min (1439 words)
Published: 2020-11-27 · Archived: 2026-04-05 14:37:57 UTC
We recently discovered a new backdoor we believe to be related to the OceanLotus group. Some of the updates of this new
variant include new behavior and domain names.
We recently discovered a new backdoor we believe to be related to the OceanLotus group. Some of the updates of this new
variant (detected by Trend Micro as Backdoor.MacOS.OCEANLOTUS.F) include new behavior and domain names. As of
writing, this sample is still undetected by other antimalware solutions.
Due to similarities in dynamic behavior and code with previous OceanLotus samples, it was confirmed to be a variant of the
said malware. 
Figures 1-2. Comparison of old OceanLotus sample (above) with the latest OceanLotus sample (below)
OceanLotus was responsible for targeted attacks against organizations from industriesopen on a new tab such as media,
research, and construction. Recently they have also been discovered by researchers from Volexity to be using malicious
websitesopen on a new tab to propagate malware.
The attackers behind this sample are suspected to target users from Vietnam since the document’s name is in Vietnamese and
the older samples targeted the same region before.
Arrival
The sample arrives as an app bundled in a Zip archive. It uses the icon for a Word document file as a disguise, attempting to
pass itself off as a legitimate document file.
https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
Page 1 of 9

Figure 3. The sample’s file name, icon, and app bundle structure
Another technique it uses to evade detection is adding special characters to its app bundle name. When a user looks for the
fake doc folder via the macOS Finder app or the terminal command line, the folder's name shows "ALL tim nha Chi Ngoc
Canada.doc" (“tìm nhà Chị Ngọc” roughly translates to “find Mrs. Ngoc’s house”). However, checking the original Zip file
that contains the folder shows 3 unexpected bytes between "." and "doc".
Figure 4. Special character between ‘.’ and ‘doc’ as viewed inside the zip archive.
The 3 bytes "efb880" is in UTF-8 encoding. According to UTF-8 mapping, the related Unicode code is "U+FE00".
Code point First byte Second byte Third byte Fourth byte
U+0000 to U+007F 0xxxxxxx
U+0080 to U+07FF 110xxxxx 10xxxxxx
U+0800 to U+FFFF 1110xxxx 10xxxxxx 10xxxxxx
U+10000 to U+10FFFF 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
Table 1. UTF-8 mapping
"U+FE00" is a special Unicode control character with name variation selector-1, which provides the visual appearance of a
CJK compatibility ideograph. In this case, the preceding character is the general character ".", so the variation selector does
not change the visual appearance.
The operating system sees the app bundle as an unsupported directory type, so as a default action the “open” command is
used to execute the malicious app. Otherwise, if the postfix is .doc without special characters, Microsoft Word is called to
open the app bundle as a document; but since it is not a valid document, the app fails to open it.
Here is the code signing information for the app bundle sample.
https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
Page 2 of 9

Figure 5. Code signing information for the sample
The app bundle contains two notable files:
ALL tim nha Chi Ngoc Canada: The shell script containing the main malicious routines
configureDefault.def: The word file displayed during execution
Figure 6. Contents of “ALL tim nha Chi Ngoc Canada” file
Figure 7. The document displayed after executing the file
When the shell script was run, it performed the following routines:
1)      Delete the file quarantine attribute for the files in "*ALL tim nha Chi Ngoc Canada.?doc*”
https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
Page 3 of 9

2)      Attempt to remove file quarantine attribute of the files in the system.
3)      Copy "ALL tim nha Chi Ngoc Canada.?doc/Contents/Resources/configureDefault.def(doc)" to "/tmp/ALL tim nha Chi
Ngoc Canada.doc(doc)"
4)      Open "/tmp/ALL tim nha Chi Ngoc Canada.doc(doc)"
5)      Extract the b64-encoded fat binary to "ALL tim nha Chi Ngoc Canada.?
doc/Contents/Resources/configureDefault.def(fat - binary)", which is the second-stage payload
6)      Change access permission of second-stage payload to execute the launch of the second-stage payload
7)      Delete the malware app bundle "ALL tim nha Chi Ngoc Canada.?doc"
8)      Copy "/tmp/ALL tim nha Chi Ngoc Canada.doc(doc)" to "{execution directory}/ALL tim nha Chi Ngoc Canada.doc"
9)      Delete "/tmp/ALL tim nha Chi Ngoc Canada.doc"
Second-stage payload
When executed, the second stage payload (ALL tim nha Chi Ngoc Canada.?doc/Contents/Resources/configureDefault.def)
performs the following malware routines:
1)      Drop third-stage payload to ~/Library/User Photos/mount_devfs
2)      Create persistence for the sample by creating ~/Library/LaunchAgents/com.apple.marcoagent.voiceinstallerd.plist
Figure 8. Plist file ~/Library/LaunchAgents/com.apple.marcoagent.voiceinstallerd.plist
3)      Use the touch command to change the timestamp of the sample
Figure 9. The timestamp of the dropped files
4)      Delete itself
Third-stage payload
In the third-stage payload (~/Library/User Photos/mount_devfs), the strings are encrypted with custom encryption using
base64 encoding and byte manipulation.
Figure 10. Encrypted strings
https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
Page 4 of 9

Figures 11-12. Decryption routine
Like older versions of the OceanLotus backdoor, the new version contains two main functions: one for collecting operating
system information and submitting this to its malicious C&C servers and receiving additional C&C communication
information, and another for the backdoor capabilities.
It collects the following information from the infected system by invoking the following commands:
Command Description
system_profiler SPHardwareDataType 2>/dev/null | awk '/Processor /
{split($0,line,\":\"); printf(\"%s\",line[2]);}'
Get processor information
15f20 = system_profiler SPHardwareDataType 2>/dev/null | awk '/Memory/
{split($0,line, \":\"); printf(\"%s\", line[2]);}'
Get memory information
ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line,
\"\\\"\"); printf(\"%s\", line[4]); }
Get serial number
ifconfig -l
ifconfig <device> | awk '/ether /{print $2}' 2>&1
Get network interface MAC
addresses
Table 2. OceanLotus commands and descriptions
The collected information is encrypted and sent to the malware C&C server.
Figure 13. TCP stream excerpt of the malware sending information to C&C server
It also receives commands from the same server.
https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
Page 5 of 9

Figure 14. TCP stream excerpt of the malware receiving commands from C&C server
Here are the C&C servers used by the malware:
mihannevis[.]com
mykessef[.]com
idtpl[.]org
The new variant’s backdoor capabilities are similar to those of the old OceanLotus sample, as detailed in the code excerpts
below:
Figures 15-16. A comparison of the codes of the old OceanLotus variant (above) and the new one (below)
Below are the supported commands and their respective codes (taken from an earlier blog post that covered OceanLotus).
0x33 Get file size
0xe8 Exit
0xa2 Download and execute a file
0xac Run command in terminal
0x48 Remove file
0x72 Upload file
0x23 Download file
0x3c Download file
0x07 Get configuration info
0x55 Empty response, heartbeat packet
Table 3. Supported commands and their respective codes
https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
Page 6 of 9

Details about C&C domain names
According to its Google and Whoisopen on a new tab history, the mihannevis[.]com domain was used to host other websites
in the past before it was changed to a C&C server around the end of August 2020.
Figures 17-18. Domain history of mihannevis[.]com, from Whois (above) and Google (below)
In VirusTotal, some related URL queries appeared at the end of August.
Figure 19. URLs related to mihannevis[.]com as seen on VirusTotal
The domain "mykessef[.]com" was used for the C&C server earlier.
Figure 20. Domain history of mykessef[.]com based on Whois Lookup
The domain name "idtpl[.]org" was registered three years ago, and there was no update history. According to Whois lookup,
its register expired at the end of March 2020.
https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
Page 7 of 9

Figure 21. idtpl[.]org registration information based on Whois Lookup
But from the middle of July 2020, its IP address changed to 185[.]117[.]88[.]91.
Figure 22. Domain History of idtpl[.]org as seen on VirusTotal
Recommendations
Threat groups such as OceanLotus are actively updating malware variants in attempts to evade detection and improve
persistence. The following best practices can be applied to defend against malware:
Never click links or download attachments from emails coming from suspicious sources
Regularly patch and update software and applications
Use security solutions suitable for your operating system
To protect systems operating on macOS, we recommend Trend Micro Home Security for Macproducts, which offers
comprehensive and multi-device protection against malware and other cyberthreats.
Indicators of Compromise
SHA-256 Filename/Description Trend Micr
cfa3d506361920f9e1db9d8324dfbb3a9c79723e702d70c3dc8f51825c171420  ALL%20tim%20nha%20Chi%20Ngoc%20Canada.zip Backdoor.M
48e3609f543ea4a8de0c9375fa665ceb6d2dfc0085ee90fa22ffaced0c770c4f ALL tim nha Chi Ngoc Canada Backdoor.SH
05e5ba08be06f2d0e2da294de4c559ca33c4c28534919e5f2f6fc51aed4956e3 2nd stage fat binary Backdoor.M
fd7e51e3f3240b550f0405a67e98a97d86747a8a07218e8150d2c2946141f737  3rd stage fat binary Backdoor.M
Domains
mihannevis[.]com
mykessef[.]com
idtpl[.]org
MITRE TTP
https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
Page 8 of 9

Tactic ID Name Description
Defense
Evasion
T1070.004open on a
new tab
File Deletion
The app bundle and dropper delete
themselves after execution
T1222.002open on a
new tab
Linux and Mac File and
Directory Permissions
Modification
The backdoor changes the permission of
the file it wants to execute to +x
T1027open on a
new tab
Obfuscated Files or Information Readable strings were encrypted
T1036.005open on a
new tab
Masquerading: Match
Legitimate Name or Location
The app bundle is disguised as a doc file
to trick users into executing it
T1070.006open on a
new tab
Indicator Removal on Host:
Timestomp
The backdoor modifies the date and time
of the dropped files using the “touch”
command
Discovery
T1082open on a
new tab
System Information Discovery
The backdoor collects various
information to send to the C&C server
Collection
T1560.003open on a
new tab
Archive Collected Data:
Archive via Custom Method
The backdoor encrypts the data before
exfiltration
Command and
Control
T1095open on a
new tab
Non-Application Layer
Protocol
Like previous samples, performs
backdoor routines based on C&C data
Tags
Source: https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
Page 9 of 9