OSX_OCEANLOTUS.D

Malware & Tools · OSX_OCEANLOTUS.D

· MalwareS0352 · Zararlı Yazılım

Type

malware

Techniques

Used By

1 groups

Platforms

macOS

Description

OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (`root` or `user`).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)

Tactic Coverage

stealth (9)command and control (6)execution (4)collection (3)discovery (3)defense impairment (2)persistence (2)privilege escalation (2)

Used By (1 groups)

G0050APT32SeaLotus, OceanLotus

Techniques (28)

T1005Data from Local System

collection

T1016System Network Configuration Discovery

discovery

T1027.002Software Packing

stealth

T1027.013Encrypted/Encoded File

stealth

T1036.004Masquerade Task or Service

stealth

T1036.008Masquerade File Type

stealth

T1059.001PowerShell

References

https://attack.mitre.org/software/S0352 https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html