OSX_OCEANLOTUS.D

The MacOS backdoor was found in a malicious Word document presumably distributed via email. Upon receiving the malicious document, the user is advised to enable macros.

Both create one thread, and each thread is responsible for either downloading and executing the file or running a command line program in the terminal.

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

After deobfuscation, we can see that the payload is written in the Perl programming language. It extracts theme0.xml file from the Word document.

Astaroth uses the LoadLibraryExW() function to load additional modules. Attor's dispatcher can execute additional plugins by loading the respective DLLs. ... LightSpy's main executable and module .dylib binaries are loaded using ... dlopen() ... dlsym() ... RotaJakiro uses ... .so files ... using dlopen() and dlsym().

Afterwards, the persistence file will be created in /Library/LaunchDaemons/ or ~/Library/LaunchAgents/ folder. The RunAtLoad key will command launchd to run the daemon when the operating system starts up... launchctl load ~/Library/LaunchAgents/ filename.plist

Bundlore can persist via a LaunchAgent. Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence. CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.

Afterwards, the persistence file will be created in /Library/LaunchDaemons/ or ~/Library/LaunchAgents/ folder. The RunAtLoad key will command launchd to run the daemon when the operating system starts up... launchctl load /Library/LaunchDaemons/filename.plist

Afterwards, the persistence file will be created in /Library/LaunchDaemons/ or ~/Library/LaunchAgents/ folder. The RunAtLoad key will command launchd to run the daemon when the operating system starts up... launchctl load ~/Library/LaunchAgents/ filename.plist

Bundlore can persist via a LaunchAgent. Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence. CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.

Afterwards, the persistence file will be created in /Library/LaunchDaemons/ or ~/Library/LaunchAgents/ folder. The RunAtLoad key will command launchd to run the daemon when the operating system starts up... launchctl load /Library/LaunchDaemons/filename.plist

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

It extracts theme0.xml file from the Word document. theme0.xml is a Mach-O 32-bit executable... For root user path: /Library/CoreMediaIO/Plug-Ins/FCP-DAL/iOSScreenCapture.plugin/Contents/Resources/ processname: screenassistantd For regular user path: ~/Library/Spelling/ processname: spellagentd

The app bundle is disguised as a doc file to trick users into executing it

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

The dropper installs the backdoor, sets its attributes to “hidden”, and sets a random file date and time... This persistence file is also set to hidden with a randomly generated file date and time.

Change access permission of second-stage payload to execute the launch of the second-stage payload

The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.

Running getpwuid ->pw_name, scutil --get ComputerName, and uname –m will provide the following returns respectively: Mac OSX 10.12. System Administrator <owner’s name>'s iMac x86_64

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

The HandlePP::getClientID method uses the following environment variables: Serial number, Hardware UUID, MAC address, Randomly generated UUID

The backdoor encrypts the data before exfiltration

Some Backdoor.Oldrea samples use standard Base64 + bzip2... gh0st RAT has used Zlib to compress C2 communications data before encrypting it... HOPLIGHT has utilized Zlib compression to obfuscate the communications payload.

infoClient is responsible for collecting OS info, submitting this info to its C&C servers... Communication with the C&C server after the exchange of OS packet info... HandlePP::urlRequest (/appleauth/static/cssj/N252394295/widget/auth/app.css)

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

Like older versions of the OceanLotus backdoor, the new version contains two main functions: one for collecting operating system information and submitting this to its malicious C&C servers and receiving additional C&C communication information, and another for the backdoor capabilities.

Both create one thread, and each thread is responsible for either downloading and executing the file or running a command line program in the terminal... Commands used in uploading and downloading file

Many entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.