Cyber threats are increasingly targeting macOS users and new research from Trend Micro has discovered that a new malware variant is currently being deployed online by a nation-state-backed hacking operation.
The firm’s security researchers believe that the Vietnamese hacking group OceanLotus, known as APT32, is behind this new malware campaign due to “similarities in dynamic behavior and code” with previous samples collected from the group.
In the past, OceanLotus has targeted foreign organizations working in Vietnam from a variety of different industries including media, research and construction. While the group’s motivations aren’t entirely clear, it is believed that the group conducts espionage on foreign firms to help Vietnamese-owned companies.
The backdoor recently discovered by Trend Micro allows OceanLotus to spy on compromised machines and steal confidential information and sensitive business documents from macOS users.
The recent series of attacks launched by the OceanLotus group begin with a phishing email that tries to encourage users to run a Zip file disguised as a Word document which is capable of avoiding detection by antivirus software through the use of special characters.
The attack could be discovered by users who realize that a Microsoft Word document doesn’t open when they click on the email’s attachment. However, by this time, the initial payload is already in the process of changing access permissions in order to load a second-stage payload that prompts a user to install a third and final payload. This third-stage payload then downloads the backdoor onto a user’s system.
Just like older versions of OceanLotus’ malware, this new variant tries to collect system information and create a backdoor that allows the group to spy on a user and download files from their system. The malware can also be used to upload additional malicious software to the system if required and Trend Micro believes that the malware is still actively being developed by the group.
In order to prevent falling victim to this latest campaign, Trend Micro recommends that macOS users remain vigilant when it comes to clicking on links or downloading attachments from emails sent by unknown sources. At the same time, users should apply the latest security patches to prevent OceanLotus and other hacking groups from exploiting known vulnerabilities.