OceanLotus.D

OceanLotus.D is a MacOS backdoor distributed via malicious word documents targeting MacOS systems in Vietnam and written in the Perl programming language. This malware is believed to be the latest of threats used by OceanLotus (APT 32) who was responsible for targeted attacks against human rights organizations, media organizations, research institutions, and maritime construction firms. In 2017, a MacOS malware of the same name, OceanLotus, was distributed by the APT group via emails attached with malicious ZIP file containing the malware. OceanLotus.D is again distributed via email but with a malicious word document attached, claiming to be a registration form for an event with HDMC, an organization in Vietnam that advertises national independence and democracy. When the victim attempts to open the attachment, they are instructed to enable macros and, if enabled, will allow the dropper to install the backdoor onto the system. The backdoor has primarily two components – infoClient, which is responsible for collecting OS info and sending it back to the C2 servers, and runHandle, which is responsible for all of the backdoor capabilities. 

 OceanLotus.D Commands

OceanLotus.D Commands

Technical Details

  • TrendMicro provides technical details on OceanLotus.D, here.