OSX_OCEANLOTUS.D is a MacOS backdoor that has been used by APT32.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1222.002 File And Directory Permissions Modification : Linux And Mac File And Directory Permissions Modification |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2021-05-20 by Microsoft from Github (microsoft)
2021-02-24 by Amnesty International from Github (AmnestyTech)
2020-12-10 by Nathaniel Gleicher from Facebook
2020-12-02 by Phil Stokes from SentinelOne
2020-11-27 by Luis Magisa from Trend Micro
2019-10-08 by m4n0w4r from
2019-04-09 by Romain Dumont from ESET Research
2018-04-04 by Jaromír Hořejší from Trend Micro
2017-06-22 by Erye Hernandez from Palo Alto Networks Unit 42
2017-05-14 by Nick Carr from FireEye
2016-02-17 by Eddie Lee from AT&T Cybersecurity
Tool: OceanLotus
Names: OceanLotus, OSX_OCEANLOTUS.D, Backdoor.MacOS.OCEANLOTUS.F
Description: OSX_OCEANLOTUS.D is a MacOS backdoor that has been used by APT32.
Category: Malware
Type: Backdoor
Information: https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/
Information: https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
Information: https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/
Mitre-attack: https://attack.mitre.org/software/S0352/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus
Last-card-change: 2022-12-30
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1059.004 COMMAND AND SCRIPTING INTERPRETER : UNIX SHELL osx_oceanlotus.d uses a shell script as the main executable inside an app bundle and drops an embedded base64-encoded payload to the /tmp folder. T1059.005 COMMAND AND SCRIPTING INTERPRETER : VISUAL BASIC osx_oceanlotus.d uses word macros for execution. | T1543.001 CREATE OR MODIFY SYSTEM PROCESS : LAUNCH AGENT osx_oceanlotus.d can create a persistence file in the folder /library/launchagents. T1543.004 CREATE OR MODIFY SYSTEM PROCESS : LAUNCH DAEMON if running with root permissions, osx_oceanlotus.d can create a persistence file in the folder /library/launchdaemons. | T1543.001 CREATE OR MODIFY SYSTEM PROCESS : LAUNCH AGENT osx_oceanlotus.d can create a persistence file in the folder /library/launchagents. T1543.004 CREATE OR MODIFY SYSTEM PROCESS : LAUNCH DAEMON if running with root permissions, osx_oceanlotus.d can create a persistence file in the folder /library/launchdaemons. | T1222.002 FILE AND DIRECTORY PERMISSIONS MODIFICATION : LINUX AND MAC FILE AND DIRECTORY PERMISSIONS MODIFICATION osx_oceanlotus.d has changed permissions of a second-stage payload to an executable via chmod. T1564.001 HIDE ARTIFACTS : HIDDEN FILES AND DIRECTORIES osx_oceanlotus.d sets the main loader file’s attributes to hidden. T1070.004 INDICATOR REMOVAL : FILE DELETION osx_oceanlotus.d has a command to delete a file from the system. osx_oceanlotus.d deletes the app bundle and dropper after execution. T1070.006 INDICATOR REMOVAL : TIMESTOMP osx_oceanlotus.d can use the touch -t command to change timestamps. T1036.004 MASQUERADING : MASQUERADE TASK OR SERVICE osx_oceanlotus.d has disguised its app bundle by adding special characters to the filename and using the icon for legitimate word documents. T1027 OBFUSCATED FILES OR INFORMATION osx_oceanlotus.d encrypts its strings in rsa256 and encodes them in a custom base64 scheme and xor. T1027.002 OBFUSCATED FILES OR INFORMATION : SOFTWARE PACKING osx_oceanlotus.d has a variant that is packed with upx. T1553.001 SUBVERT TRUST CONTROLS : GATEKEEPER BYPASS osx_oceanlotus.d uses the command xattr -d com.apple.quarantine to remove the quarantine file attribute used by gatekeeper. T1497.001 VIRTUALIZATION/SANDBOX EVASION : SYSTEM CHECKS osx_oceanlotus.d has variants that check a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as sysctl hw.model. | T1082 SYSTEM INFORMATION DISCOVERY osx_oceanlotus.d collects processor information, memory information, computer name, hardware uuid, serial number, and operating system version. osx_oceanlotus.d has used the ioreg command to gather some of this information. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY osx_oceanlotus.d can collect the network interface mac address on the infected host. T1497.001 VIRTUALIZATION/SANDBOX EVASION : SYSTEM CHECKS osx_oceanlotus.d has variants that check a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as sysctl hw.model. | T1560.003 ARCHIVE COLLECTED DATA : ARCHIVE VIA CUSTOM METHOD osx_oceanlotus.d scrambles and encrypts data using aes256 before sending it to the c2 server. T1005 DATA FROM LOCAL SYSTEM osx_oceanlotus.d has the ability to upload files from a compromised host. | T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS osx_oceanlotus.d can use http post and get requests to send and receive c2 information. T1105 INGRESS TOOL TRANSFER osx_oceanlotus.d has a command to download and execute a file on the victim’s machine. |