A new version of the OceanLotus APT group's backdoor malware uses decoy documents, string encoding, modularity, and customized binary protocol traffic, while eschewing command-line utilities.
A new version of the OceanLotus APT group's backdoor malware uses decoy documents, string encoding, modularity, and customized binary protocol traffic, while eschewing command-line utilities.

The alleged Vietnamese ATP group OceanLotus has evolved its Mac spyware trojan, creating what researchers at Palo Alto Networks are calling" one of the more advanced backdoors we have seen on macOS to date."

This newer rendition of the backdoor malware has added decoy documents, string encoding, modularity, and custom binary protocol traffic with encryption, while eliminating command-line utilities. Like past versions, the malware is being used primarily within Vietnam itself.

In a blog post published on Thursday, Palo Alto's Unit 42 threat intelligence team reported that the this version has been active for more than a year, and was spotted in the wild as recently as early June 2017. It is not clear from the report exactly when this variant was first discovered.

Featuring low anti-virus detection rates, the backdoor is distributed via zip file, most likely through email attachments, Unit 42 reports. This file contains a directory with what appears to be a Microsoft Word document, but in actuality is an application bundle that conceals the trojan. This is a notable difference from other macOS malwares, including the previous version of the OceanLotus backdoor, which typically pose as application installers for programs like Adobe Flash.

To diminish suspicions, the new variant opens a decoy document, a trick that reportedly is much more common in Windows malware than in Mac malware, the report continues. Moreover, the lack of command-line utilities and suspicious strings helps conceal the malware's malicious purpose, while curtaining analysis.

"This shows a deep level of understanding of the macOS platform by the author of this backdoor, compared to other threat actors that will commonly copy and paste scripts from the Internet," wrote Palo Alto blog post authors and researcher engineers Erye Hernandez and Danny Tsechansky, adding that the strings are particularly hard to find because they are encoded using "a combination of bit shifting and XOR operations with a variable key that depends on the length of the string that was encoded."

Another new addition is the malware's customized binary protocol for communicating with the command-and-control server. These communications take place via TCP port 443, which Palo Alto reports is "unlikely to be blocked by traditional firewalls due to its use in HTTPS connections."

Earlier this year, researchers from FireEye/Mandiant tied the OceanLotus group, also known as APT32, to various malicious campaigns, including the 2017 compromise of a global consulting firm's Vietnamese offices, a 2016 malware attack on a hospitality developer with plans for expansion into Vietnam, and the 2016 targeting of Vietnamese and foreign-owned corporations operating in the fields of network security, technology infrastructure, banking and media.

Also this year, Cyberreason blamed OceanLotus was the brains behind Operation Cobalt Kitty, a sophisticated spearphishing attack against an an Asia-based corporation.