Researchers at Trend Micro have discovered how the hacker group OceanLotus, which is also known in cyber-security as APT 32, APT-C-00, SeaLotus, and Cobalt Kitty, is using a new backdoor to target MacOS computers.

Researchers at Trend Micro have discovered how the hacker group OceanLotus, which is also known in cyber-security circles as APT 32, APT-C-00, SeaLotus, and Cobalt Kitty, is using a new MacOS backdoor to target MacOS computers which have the Perl programming language installed.

 

The researchers observed the presence of the malicious backdoor in certain Word documents which were sent by OceanLotus hackers to their victims by way of phishing emails and featured the Vietnamese filename “2018-PHIẾU  GHI  DANH  THAM  DỰ  TĨNH  HỘI HMDC 2018.doc,” which translates to “2018-REGISTRATION FORM OF HMDC ASSEMBLY 2018.doc.”

 

Once a recipient of such an email downloads and opens the Word document, the victim is prompted to enable macros that are obfuscated by hackers using the decimal ASCII code. Upon further analysis, the researchers found that these documents contained a payload written in the Perl programming language which, in turn, extracted a Mach-O 32-bit executable file named thexe0.xml which then served as the dropper for the final payload or backdoor.

 

The researchers added that the backdoor contains a function named infoClient which collects information about the OS and sends it to a remote C&C server before receiving further commands from the server. Yet another function named runHandle handles other backdoor capabilities like downloading and executing files or running command line programme in the terminal.

 

The researchers described the process used by the hackers to inject such malicious backdoors into MacOS systems in detail and warned that even though such malicious attacks targeting Mac devices are not as common as attacks on Windows or Linux systems, users must adopt best practices in order to defend against threats that are distributed via phishing emails.

This article originally appeared at scmagazineuk.com



Source link

NO COMMENTS

LEAVE A REPLY