Vietnamese Malware Campaign by OceanLotus Targeting Macs

A new version of a previously known backdoor targeting Mac computers has been spotted in the wild by security researchers. The malware is thought to be related to the Vietnamese threat actor known as OceanLotus.

TrendMicro published a report on the updated backdoor. Like most malware of this kind, the new backdoor allows the bad actors operating it to snoop around on the target system and exfiltrate information, including personally identifiable and sensitive data.

The distribution method used in this particular campaign is a common one - spam emails sent out with a malicious attachment. The attached file is a fake Microsoft Word file that is really an archive file. The payload is obfuscated and manages to avoid some detection methods by using non-standard characters in the name of its app bundle.

The payload is actually a multi-stage one, including several payloads that quietly install a backdoor on the target system. Once the backdoor has been fully set up, the hackers operating the malware have access to data about the system and can both exfiltrate files from the victim system, as well as upload additional malware to it, which makes the backdoor especially dangerous.

Researchers believe the new version of the backdoor malware has ties to the threat actor known as OceanLotus, also known as APT32. This is the alphanumeric designation of a group of hackers who are thought to be state-sponsored and operating from inside Vietnam. The primary targets of OceanLotus are companies and businesses from foreign countries that operate inside Vietnam, and the supposed goal is performing cyber espionage.

The good news is that the malware is probably not going to affect the overwhelming part of Mac users, as it appears to be developed for targeted attacks of users and networks located on Vietnamese soil, so the wider population is very likely safe from the new OceanLotus backdoor.