Vietnamese hacking group, OceanLotus, targets MacOS users with new malware

Hey, guys! How y’all doing today? Hope everyone is fine and well. 

Today, we’re going to cover an imminent danger that all MacOS users could be faced with. Thanks to the Vietnamese threat actor group called OceanLotus, macOS users are being targeted with a new malware that’s being deployed online. It is discovered that this new malware variant installs backdoors on the target systems to steal sensitive data and credentials. 


A little bit about OceanLotus 

Trend Micro’s researchers believe that OceanLotus, otherwise known as APT32, is the mastermind behind this campaign. This is due to “similarities in dynamic behavior and code” with previous samples collected from the group.

OceanLotus is known to target foreign organizations working in Vietnam from various industries that includes media, research and construction. Although it’s unclear what motivates the hacking group for its notorious activities, it is believed that OceanLotus conducts espionage on foreign firms to help Vietnamese-owned companies.

What is OceanLotus’s attack pattern?

It all begins with a phishing email. 

This email tries to trick a user into running a Zip file disguised as a Word document which is capable of avoiding detection by antivirus software through the use of special characters. It’s easy for MacOS users to figure out something funny is going on when the Word document doesn’t open after they’ve clicked on the email attachment.

However, by this time, the initial payload is already in the process of changing access permissions to give way to the second-stage payload. The second-stage payload’s job is to prompt a user to install a third and final payload. The third-stage payload then downloads the backdoor onto a user's system.

What did TrendMicro discover?

Upon analysis, Trend Micro has discovered that just like its predecessor versions of malware, this new OceanLotus malware variant collects system information and creates a backdoor that allows the group to spy on a user and download files from their system. It is also possible to upload additional malicious software to the infected system. Perturbingly, Trend Micro suspects that the malware is still actively being developed by the threat actor.

How do MacOS users stay safe from this malware?

Don’t click on links or download email attachments from emails sent by unknown sources!

At the same time, Trend Micro urges MacOS users to apply the latest security patches to halt OceanLotus and other hacking groups from exploiting known vulnerabilities.

That’s it for today’s blog, y’all! Feel free to drop comments and share this blog if you found it useful.

Stay safe and stay tuned. 

Until next time, friends!

Credits: TechRadar Pro

Add comment