Researchers at Trend Micro have discovered how the hacker group OceanLotus, which is also known in cyber-security as APT 32, APT-C-00, SeaLotus, and Cobalt Kitty, is using a new backdoor to target MacOS computers.
Researchers at Trend Micro have discovered how the hacker group OceanLotus, which is also known in cyber-security circles as APT 32, APT-C-00, SeaLotus, and Cobalt Kitty, is using a new MacOS backdoor to target MacOS computers which have the Perl programming language installed.
The researchers observed the presence of the malicious backdoor in certain Word documents which were sent by OceanLotus hackers to their victims by way of phishing emails and featured the Vietnamese filename “2018-PHIẾU GHI DANH THAM DỰ TĨNH HỘI HMDC 2018.doc,” which translates to “2018-REGISTRATION FORM OF HMDC ASSEMBLY 2018.doc.”
Once a recipient of such an email downloads and opens the Word document, the victim is prompted to enable macros that are obfuscated by hackers using the decimal ASCII code. Upon further analysis, the researchers found that these documents contained a payload written in the Perl programming language which, in turn, extracted a Mach-O 32-bit executable file named thexe0.xml which then served as the dropper for the final payload or backdoor.
The researchers added that the backdoor contains a function named infoClient which collects information about the OS and sends it to a remote C&C server before receiving further commands from the server. Yet another function named runHandle handles other backdoor capabilities like downloading and executing files or running command line programme in the terminal.
This article originally appeared at scmagazineuk.com