OceanLotus macOS Malware

Researchers published an analysis of an updated version of the macOS malware used by the OceanLotus threat group. They discovered the sample on VirusTotal, but were unable to find the dropper associated with the it so the initial compromise vector is currently unknown. The beginning of the analysis revealed anti-debugging and anti-sandboxing. The anti-debugging function is a watchdog that continuously checks for and attempts to detach any debuggers. Anti-sandbox checking is performed by checking the environment for known virtualization system strings.

The backdoor functions remain the same as previous versions of this malware, but there are a few modifications that the researchers identified. First, during the initial C2 connection, the victim host sends more information that previous versions. It gathers processor information, memory information, MAC addresses, and the serial number of the device. Additionally, libcurl is no longer used for network exfiltration, but instead, an external library is used. Due to not having the initial dropper sample, the researchers were also unable to obtain component files tied to this version of the malware.

Additionally, the library files that they did have access to were encrypted on disk and so the network protocol used was unable to be determined.

Further details – https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/ and https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/

Indicators of Compromise (IoCs)

Domain names

• daff.faybilodeau[.]com
• sarc.onteagleroad[.]com
• au.charlineopkesston[.]com

SHA-1

E615632C9998E4D3E5ACD8851864ED09B02C77D2