A newly discovered form of malware is targeting Apple MacOS users in a campaign that researchers say is tied to a nation-state-backed hacking operation.
The campaign has been detailed by cybersecurity analysts at Trend Micro who’ve linked it to OceanLotus – also known as APT32 – a hacking group that is thought to have links to the Vietnamese government.
OceanLotus is known to target foreign organisations working in Vietnam including media, research and construction, and while the motivation for this isn’t fully understood, the aim is thought to be to using espionage to aid Vietnamese-owned companies.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
The MacOS backdoor provides the attackers with a window into the compromised machine, enabling them to snoop on and steal confidential information and sensitive business documents.
The security company’s researchers have linked it to OceanLotus because of the similarities in code and behaviour of the malware, compared with samples used in previous campaigns by the group.
The attacks begin with phishing emails that attempt to encourage victims to run a Zip file disguised as a Word document. It evades detection from antivirus scanners by using special characters deep inside a series of Zip folders.
The attack could potentially give itself away if users are paying attention because, when the malicious file is run, a Microsoft Word document doesn’t appear.
However, at this stage an initial payload is already working on the machine and it changes access permissions in order to load a second-stage payload that then prompts the installation of a third-stage payload, which downloads the backdoor onto the system. By installing the malware across different stages like this, OceanLotus aims to evade detection.
Like older versions of the malware, this attack aims to collect system information and creates a backdoor allowing the hackers to snoop on and download files, as well as upload additional malicious software to the system if required. It’s thought that the malware is still actively being developed.
“Threat groups such as OceanLotus are actively updating malware variants in attempts to evade detection and improve persistence,” wrote researchers.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
To help avoid falling victim to this and other malware campaigns, Trend Micro urges users to be cautious about clicking links or downloading attachments from emails coming from suspicious or unknown sources.
It’s also recommended that organisations apply security patches and other updates to software and operating systems so malware isn’t able to take advantage of known vulnerabilities that can be protected against.