OceanLotus malware for Mac allows you to spy on Apple customers

Information security experts have detected a new variant of malware targeting MacOS users in a hacking campaign potentially sponsored by a state actor. Trend Micro researchers claim that the campaign is related to OceanLotus, a hacking group also identified as APT32, associated with the Government of Vietnam.

OceanLotus’ main objectives are foreign organizations operating in Vietnamese territory, including media, research firms, construction companies, among others. Experts believe hackers are deploying complex espionage efforts to favor national companies.

According to reports, this campaign abuses a backdoor on macOS that provides malicious hackers with an entry point to compromised systems. Once inside the hackers start spying to steal login credentials, confidential documents and any other records that may be useful to them.

Experts believe this campaign is linked to OceanLotus due to similarities in operation mode with previously recorded attacks. These campaigns begin with a phishing email that includes a ZIP file disguised as a Word document. Threat actors bypass antivirus mechanisms using some special characters inside multiple ZIP folders.

Although victims could infer that they are under attack by not finding any Word documents it will already be too late, since by then a payload will already be running on their systems, resulting in the download and installation of the backdoor.

Like previous versions of this attack, OceanLotus aims to collect system information and create a backdoor for threat actors to spy on and download files, as well as upload additional malware variants to the system if necessary.

Finally, specialists suggest that hackers constantly update the code of this malware: “Hacking groups like OceanLotus actively update the malware variants developed in an attempt to evade detection and improve persistence,” they say in their report.