# New MacOS Backdoor Connected to OceanLotus Surfaces **[trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html](https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html)** November 27, 2020 [We recently discovered a new backdoor we believe to be related to the OceanLotus group. Some of the updates of this new variant (detected](https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html) by Trend Micro as Backdoor.MacOS.OCEANLOTUS.F) include new behavior and domain names. As of writing, this sample is still undetected by other antimalware solutions. Due to similarities in dynamic behavior and code with previous OceanLotus samples, it was confirmed to be a variant of the said malware. Figures 1-2. Comparison of old OceanLotus sample (above) with the latest OceanLotus sample (below) ----- Ocea otus [as espo s b e o ta geted attac s aga st o ga](https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html) at o s o [dust es suc](https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/) as ed a, esea c, a d co st uct o ece t y [they have also been discovered by researchers from Volexity to be using malicious websites to propagate malware.](https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/) The attackers behind this sample are suspected to target users from Vietnam since the document’s name is in Vietnamese and the older samples targeted the same region before. ## Arrival The sample arrives as an app bundled in a Zip archive. It uses the icon for a Word document file as a disguise, attempting to pass itself off as a legitimate document file. Figure 3. The sample’s file name, icon, and app bundle structure Another technique it uses to evade detection is adding special characters to its app bundle name. When a user looks for the fake doc folder via the macOS Finder app or the terminal command line, the folder's name shows "ALL tim nha Chi Ngoc Canada.doc" (“tìm nhà Chị Ngọc” roughly translates to “find Mrs. Ngoc’s house”). However, checking the original Zip file that contains the folder shows 3 unexpected bytes between "." and "doc". Figure 4. Special character between ‘.’ and ‘doc’ as viewed inside the zip archive. The 3 bytes "efb880" is in UTF-8 encoding. According to UTF-8 mapping, the related Unicode code is "U+FE00". **Code point** **First byte** **Second byte** **Third byte** **Fourth byte** U+0000 to U+007F 0xxxxxxx U+0080 to U+07FF 110xxxxx 10xxxxxx U+0800 to U+FFFF 1110xxxx 10xxxxxx 10xxxxxx U+10000 to U+10FFFF 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx Table 1. UTF-8 mapping "U+FE00" is a special Unicode control character with name variation selector-1, which provides the visual appearance of a CJK compatibility ideograph. In this case, the preceding character is the general character ".", so the variation selector does not change the visual appearance. The operating system sees the app bundle as an unsupported directory type, so as a default action the “open” command is used to execute the malicious app. Otherwise, if the postfix is .doc without special characters, Microsoft Word is called to open the app bundle as a document; but since it is not a valid document, the app fails to open it. Here is the code signing information for the app bundle sample. ----- Figure 5. Code signing information for the sample The app bundle contains two notable files: ALL tim nha Chi Ngoc Canada: The shell script containing the main malicious routines configureDefault.def: The word file displayed during execution Figure 6. Contents of “ALL tim nha Chi Ngoc Canada” file Figure 7. The document displayed after executing the file When the shell script was run, it performed the following routines: 1) Delete the file quarantine attribute for the files in "*ALL tim nha Chi Ngoc Canada.?doc*” 2) Attempt to remove file quarantine attribute of the files in the system. 3) Copy "ALL tim nha Chi Ngoc Canada.?doc/Contents/Resources/configureDefault.def(doc)" to "/tmp/ALL tim nha Chi Ngoc Canada.doc(doc)" 4) Open "/tmp/ALL tim nha Chi Ngoc Canada.doc(doc)" ----- 5) t act t e b6 e coded at b a y to t a C goc Ca ada doc/Co te ts/ esou ces/co gu e e au t de ( at b a y), c is the second-stage payload 6) Change access permission of second-stage payload to execute the launch of the second-stage payload 7) Delete the malware app bundle "ALL tim nha Chi Ngoc Canada.?doc" 8) Copy "/tmp/ALL tim nha Chi Ngoc Canada.doc(doc)" to "{execution directory}/ALL tim nha Chi Ngoc Canada.doc" 9) Delete "/tmp/ALL tim nha Chi Ngoc Canada.doc" ## Second-stage payload When executed, the second stage payload (ALL tim nha Chi Ngoc Canada.?doc/Contents/Resources/configureDefault.def) performs the following malware routines: 1) Drop third-stage payload to ~/Library/User Photos/mount_devfs 2) Create persistence for the sample by creating ~/Library/LaunchAgents/com.apple.marcoagent.voiceinstallerd.plist Figure 8. Plist file ~/Library/LaunchAgents/com.apple.marcoagent.voiceinstallerd.plist 3) Use the touch command to change the timestamp of the sample Figure 9. The timestamp of the dropped files 4) Delete itself ## Third-stage payload In the third-stage payload (~/Library/User Photos/mount_devfs), the strings are encrypted with custom encryption using base64 encoding and byte manipulation. Figure 10. Encrypted strings ----- Figures 11-12. Decryption routine [Like older versions of the OceanLotus backdoor, the new version contains two main functions: one for collecting operating system information](https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html) and submitting this to its malicious C&C servers and receiving additional C&C communication information, and another for the backdoor capabilities. It collects the following information from the infected system by invoking the following commands: **Command** **Description** system_profiler SPHardwareDataType 2>/dev/null | awk '/Processor / {split($0,line,\":\"); printf(\"%s\",line[2]);}' 15f20 = system_profiler SPHardwareDataType 2>/dev/null | awk '/Memory/ {split($0,line, \":\"); printf(\"%s\", line[2]);}' ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, \"\\\"\"); printf(\"%s\", line[4]); } ifconfig -l ifconfig | awk '/ether /{print $2}' 2>&1 Table 2. OceanLotus commands and descriptions The collected information is encrypted and sent to the malware C&C server. Get processor information Get memory information Get serial number Get network interface MAC addresses information to C&C server It also receives commands from the same server. Here are the C&C servers used by the malware: mihannevis[.]com mykessef[.]com idtpl[.]org Figure 13. TCP stream excerpt of the malware sending Figure 14. TCP stream excerpt of the malware receiving commands from C&C server [The new variant’s backdoor capabilities are similar to those of the old OceanLotus sample, as detailed in the code excerpts below:](https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html) ----- Figures 15-16. A comparison of the codes of the old OceanLotus variant (above) and the new one (below) [Below are the supported commands and their respective codes (taken from an earlier blog post that covered OceanLotus).](https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html) 0x33 Get file size 0xe8 Exit 0xa2 Download and execute a file 0xac Run command in terminal 0x48 Remove file 0x72 Upload file 0x23 Download file 0x3c Download file 0x07 Get configuration info 0x55 Empty response, heartbeat packet Table 3. Supported commands and their respective codes ## Details about C&C domain names [According to its Google and Whois history, the mihannevis[.]com domain was used to host other websites in the past before it was changed to](https://www.whois.net/) a C&C server around the end of August 2020. ----- from Whois (above) and Google (below) In VirusTotal, some related URL queries appeared at the end of August. 19. URLs related to mihannevis[.]com as seen on VirusTotal The domain "mykessef[.]com" was used for the C&C server earlier. Figures 17-18. Domain history of mihannevis[.]com, Figure Figure 20. Domain history of mykessef[.]com based on Whois Lookup The domain name "idtpl[.]org" was registered three years ago, and there was no update history. According to Whois lookup, its register expired at the end of March 2020. Figure 21. idtpl[.]org registration information based on Whois Lookup But from the middle of July 2020, its IP address changed to 185[.]117[.]88[.]91. ----- Figure 22. Domain History of idtpl[.]org as seen on VirusTotal ## Recommendations Threat groups such as OceanLotus are actively updating malware variants in attempts to evade detection and improve persistence. The following best practices can be applied to defend against malware: Never click links or download attachments from emails coming from suspicious sources Regularly patch and update software and applications Use security solutions suitable for your operating system [To protect systems operating on macOS, we recommend Trend Micro Home Security for Mac, which offers comprehensive and multi-device](https://www.trendmicro.com/en_us/forHome/products/maximum-security.html) protection against malware and other cyberthreats. ## Indicators of Compromise **SHA-256** **Filename/Description** **Trend M** cfa3d506361920f9e1db9d8324dfbb3a9c79723e702d70c3dc8f51825c171420 ALL%20tim%20nha%20Chi%20Ngoc%20Canada.zip Backdoo 48e3609f543ea4a8de0c9375fa665ceb6d2dfc0085ee90fa22ffaced0c770c4f ALL tim nha Chi Ngoc Canada Backdoo 05e5ba08be06f2d0e2da294de4c559ca33c4c28534919e5f2f6fc51aed4956e3 2nd stage fat binary Backdoo fd7e51e3f3240b550f0405a67e98a97d86747a8a07218e8150d2c2946141f737 3rd stage fat binary Backdoo **Domains** mihannevis[.]com mykessef[.]com idtpl[.]org ## MITRE TTP **Tactic** **ID** **Name** **Description** Defense Evasion [T1070.004](https://attack.mitre.org/techniques/T1070/004/) File Deletion The app bundle and dropper delete themselves after execution [T1222.002](https://attack.mitre.org/techniques/T1222/002/) Linux and Mac File and Directory Permissions Modification The backdoor changes the permission of the file it wants to execute to +x [T1027](https://attack.mitre.org/techniques/T1027/) Obfuscated Files or Information Readable strings were encrypted [T1036.005](https://attack.mitre.org/techniques/T1036/005/) Masquerading: Match Legitimate Name or Location [T1070.006](https://attack.mitre.org/techniques/T1070/006/) Indicator Removal on Host: Timestomp The app bundle is disguised as a doc file to trick users into executing it The backdoor modifies the date and time of the dropped files using the “touch” command ----- Discovery [T1082](https://attack.mitre.org/techniques/T1082/) System Information Discovery The backdoor collects various information to send to the C&C server Collection [T1560.003](https://attack.mitre.org/techniques/T1560/003/) Archive Collected Data: Archive via Custom Method The backdoor encrypts the data before exfiltration Command and Control [T1095](https://attack.mitre.org/techniques/T1095/) Non-Application Layer Protocol Like previous samples, performs backdoor routines based on C&C data -----