Threat researchers at Trend Micro have identified new malicious content by OceanLotus targeting iOS and MacOS devices. The malware is supposedly spread through a Microsoft Word file attached to phishing emails.
Customers frequently prefer Apple’s operating systems due to the fact that they have a lower number of malicious attacks on them. However, the recent discovery by Trend Micro reveals that devices running iOS and MacOS are not completely immune to such attacks. The TrendLabs security intelligence blog post have identified the malware to originate from OceanLotus, aka. SeaLotus, APT 32, APT-C-00, and Cobalt Kitty. The backdoor runs on the OS by the name of OSX_OCEANLOTUS.D.
Attack progression
The researchers claim that the threat is distributed via an MS Word document attached to phishing emails. While the document claims to be a registration form for an assembly for HDMC — a Vietnam-based organization that promotes democracy and national independence —, it is, in fact, backdoor dropper targeting devices that use the programming language Perl.
The dropper, which has a hard-coded encryption using an RSA256 key, asks the users to allow macros, and once enabled, it then extracts an executable disguised as an XML file. The dropper then sets up the backdoor malware in different locations, depending on whether or not it has root access. It then sets itself to ‘hidden’ and chooses randomized times and dates for its files.
The backdoor has a dual purpose: collecting information on the OS, and leaving the device open for further attacks. The collected information are: OS version, device serial number, Hardware UUID, MAC address, and potentially the device user’s name. The backdoor process regularly communicates with the malicious server, uploading the collected data, and downloading more malicious content.
Preventative steps
It is important to be aware that while Apple’s operating systems do not have as many malware programs as other OS, malicious content for them do exist. In the case of phishing attacks, Trend Micros suggests verifying the sender’s email and the link embedded in the email and be wary of attachments from unfamiliar addresses. Users should also not provide personal details unless absolutely necessary. Finally, regular scans using antivirus and antimalware software are also highly recommended, as well as making sure that the operating system is fully updated.