First observed in May 2015, OceanLotus targets systems running MacOS X. It is packaged as an application bundle masquerading as an Adobe Flash Player update. It has anti-debugging capabilities, handles the connection to C2 servers, and takes advantage of OS X specific commands and API calls. Most of the binary strings are XOR encrypted and the binary uses multiple keys, all of which are also XOR encrypted. OceanLotus maintains persistence by setting up a Launch Agent, which runs at user login. It establishes connections to several C2 servers in order to receive commands and payloads. It pings the C2 every minute and gathers the following information about the system and user:
- Product Name and Version
- Machine Name
- User permissions (root access?)
- User's name
- MD5 hash of the IOPlatformUUID, or combination of username and machine name
OceanLotus can perform the following functions:
- Update the /Library/Hash/.Hashtag/.hash file
- Update or read the /Library/Parallels/.cfg file
- Automatically download files from a URL
- Unzip and open a zipped application bundle, run an executable file, or execute code from a dynamic library
- Kill a process
- Delete a file or path
- Shutdown the C2 connection
A separate OceanLotus variant discovered in June 2017 is distributed via a ZIP file, likely sent as an attachment in an email. The ZIP file contains a document with a Microsoft Word icon, but is actually an application bundle containing executable code. Once the user opens the Word document, the trojan executes and launches Word to display a decoy document while the malware executes. The majority of victims are located in Vietnam. Apple has already issued an update to protect systems running MacOS X from this threat.
- June 2017: A new OceanLotus variant is distributed via a ZIP file, likely sent as an attachment in an email. The majority of victims are located in Vietnam. Apple has already issued an update to protect systems running MacOS X from this threat. (Palo Alto Networks)
- Alien Vault provides technical details on OceanLotus, here.
- Palo Alto Networks provides technical details of the June 2017 variant of OceanLotus, here.