Fresh MacOS Backdoor Variant Linked to Vietnamese HackersResearchers: Malware Uses Multistage Payloads, Anti-Detection Techniques
Trend Micro researchers have uncovered a macOS backdoor variant linked to an advanced persistent threat group operating from Vietnam.
In a new report, Trend Micro notes that the updated backdoor uses multistage payloads as well as anti-detection techniques to help bypass security tools. It also enables the attackers to maintain persistence and steal data. The researchers note that there are some indications that the malware may have targeted victims in the Asia-Pacific region, but there is no conclusive evidence at this time.
The researchers have linked the malware to a hacking group known as OceanLotus, also referred to as APT32, which has been previously tied to the government of Vietnam. The report notes that some of the documents associated with the backdoor are written in Vietnamese, plus the codebase for the malware matches the source code for previous malicious tools linked to the group.
In April, the security firm FireEye released a report noting the role OceanLotus allegedly played in targeting several Chinese agencies in an attempt to gather intelligence about the country's response to the COVID-19 outbreak (see: Hackers Targeted Chinese Agencies for COVID-19 Intel: Report).
OceanLotus, which has been active since at least 2014, has previously launched campaigns against industries and government agencies throughout Southeast Asia. The hacking group has targeted media, research and construction organizations (see: Vietnamese APT Group Targets BMW, Hyundai: Report).
To launch attacks that attempt to install the backdoor on a victim's device, OceanLotus is likely using phishing emails, based on the group's past behavior, according to the report.
The Trend Micro researchers note that the malware arrives as an app bundled in a zip archive. It uses the icon of a Word document file as a disguise, attempting to pass itself off as a legitimate document file.
Another way that the backdoor initially avoids detection is to add special characters to its app bundle name. This includes three bytes of data called "efb880" that use UTF-8 encoding - electronic encoding used for communications.
"The operating system sees the app bundle as an unsupported directory type, so as a default action the 'open' command is used to execute the malicious app," according to Trend Micro.
When the bundle is opened, the malware launches the second-stage payload, which, in turn, drops the third-stage payload before deleting itself. "In the third-stage payload, the strings are encrypted with custom encryption using base64 encoding and byte manipulation," the researchers note.
As in older versions of the OceanLotus backdoor, the new version contains two main functions, according to the report. One function collects operating system information and submits it to the operators' command-and-control servers and enables the malware to receive additional commands from the hacking group. It also accommodates additional backdoor capabilities and data collection and exfiltration.
The second function enables collecting operating system information, processor information, memory information, serial numbers and network interface MAC addresses, according to the report.
In addition to these functions, the updated backdoor supports gathering information on file size, removing and uploading a file, downloading and executing files, running commands in terminal and getting configuration information, according to the report.
"Threat groups such as OceanLotus are actively updating malware variants in attempts to evade detection and improve persistence," the researchers note.