OceanLotus macOS Malware

Researchers published an analysis of an updated version of the macOS malware used by the OceanLotus threat group. They discovered the sample on VirusTotal, but were unable to find the dropper associated with the it so the initial compromise vector is currently unknown. The beginning of the analysis revealed anti-debugging and anti-sandboxing. The anti-debugging function is a watchdog that continuously checks for and attempts to detach any debuggers. Anti-sandbox checking is performed by checking the environment for known virtualization system strings.

The backdoor functions remain the same as previous versions of this malware, but there are a few modifications that the researchers identified. First, during the initial C2 connection, the victim host sends more information that previous versions. It gathers processor information, memory information, MAC addresses, and the serial number of the device. Additionally, libcurl is no longer used for network exfiltration, but instead, an external library is used. Due to not having the initial dropper sample, the researchers were also unable to obtain component files tied to this version of the malware.

Additionally, the library files that they did have access to were encrypted on disk and so the network protocol used was unable to be determined.

Further details – https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/ and https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/

Indicators of Compromise (IoCs)

Domain names

  • daff.faybilodeau[.]com
  • sarc.onteagleroad[.]com
  • au.charlineopkesston[.]com

SHA-1

E615632C9998E4D3E5ACD8851864ED09B02C77D2

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: