A new form of malware that targets Apple MacOS users in a campaign which is linked to a nation-state-backed hacking operation was discovered by researchers.
Trend Micro’s cybersecurity analysts have detailed the campaign and they have linked it to OceanLotus – also known as APT32 – a hacking group that is believed to have links to the Vietnamese government.
OceanLotus targets foreign organizations working in Vietnam including media, research and construction. Even though the motivation for their attack is unknown it is believed that their aim is to be used as espionage to aid Vietnamese-owned companies.
The MacOS backdoor provides the attackers with a window into the compromised machine, allowing them to snoop on and steal confidential information and sensitive business documents.
The researchers have linked it to OceanLotus due to its similarities in code and behavior of the malware, compared with samples used in previous campaigns by the group.
The attacks are initiated with phishing emails that make the victims run a Zip file disguised as a Word document. It escapes detection from antivirus scanners by using special characters deep inside a series of Zip folders.
The attack could be detected if the users pay good attention because, when the malicious file is run, a Microsoft Word document doesn’t appear.
During this stage, an initial payload is already working on the machine and it changes access permissions in order to load a second-stage payload which then prompts the installation of a third-stage payload, which downloads the backdoor onto the system.
By installing the malware across different stages like this, OceanLotus aims to evade detection.
Similar to its older versions, the malware attack tries to collect system information and creates a backdoor allowing the hackers to snoop on and download files, as well as upload additional malicious software to the system if required.
The malware is still actively being developed. According to the researchers, threat groups such as OceanLotus are actively updating malware variants in order to prevent being detected and to improve persistence.
In order to prevent being a victim of this type of malware campaigns, Trend Micro advises users to be extra cautious about clicking links or downloading attachments from emails coming from suspicious or unknown sources.
All the organizations are also highly recommended to apply the security patches and other available updates so that the malware can’t take advantage of known vulnerabilities.
Image Credits : Port Swigger