The APT attacks based on the OceanLotus focused on government organizations, research institutes, maritime agencies, and companies specializing in other activities.
At the time were found four different versions of the Trojan, and one of them was specifically designed to target OS X systems.
AlienVault analyzed two of these samples available for OS X (one of them being probably an early version). A more recent variant was analyzed and was updated to Virustotal on February 8 and had a zero detection rate, at the time I was writing this post the OceanLotus malware was detected by 11 / 55 antivirus solutions, including ESET-NOD32, Ikarus, F-Secure and Bitdefender.
As the title of the article says, the Trojan is disguised as an Abode Flash Player update.
The developers of the Trojan used a XOR encryption because with this technique its more difficult to detected. The commands used by the API shows that developers are familiar with OS X commands, and this makes sense because OnceanLotus has a specific version of OS X.
When a system is infected, OnceanLotus prepares an agent to attempt to contact his command and control (C&C) servers. When getting a connection with the C&C servers, the Trojan will collect information from the infected system, including device name, username, and a unique ID, and determines if the victim has root privileges.
The malware has the capability to perform many tasks, like opening application bundles, returning information about a file or path, getting a list of recently opened documents, obtaining information on active windows, capturing screenshots, downloading files from a URL, executing files, killing a process, and deleting files.
“The OS X version of OceanLotus is clearly a mature piece of malware that is written specifically for OS X. The use of OS X specific commands and APIs is evidence that the authors are intimately familiar with the operating system and have spent quite a bit of time customizing it for the OS X environment. Similar to other advanced malware, the use of obfuscation and indirection within the binary are an indication that the authors want to protect their work, make it difficult for others to reverse engineer, and reduce detection rates. The fact that VirusTotal still shows a zero detection rate for this threat shows they are succeeding at the latter.” States the analysis published by Alien Vault.
I will also leave you here the Indicator of compromise ( IOC):
ROL3 encoded .en_icon: 9cf500e1149992baae53caee89df456de54689caf5a1bc25750eb22c5eca1cce
ROL3 decoded .en_icon: 3d974c08c6e376f40118c3c2fa0af87fdb9a6147c877ef0e16adad12ad0ee43a
ROL3 encoded .DS_Stores: 4c59c448c3991bd4c6d5a9534835a05dc00b1b6032f89ffdd4a9c294d0184e3b
ROL3 decoded .DS_Stores: 987680637f31c3fc75c5d2796af84c852f546d654def35901675784fffc07e5d
Another older variant that only communicates with the unencrypted C2
/Library/.SystemPreferences/.prev/.ver.txt or ~/Library/.SystemPreferences/.prev/.ver.txt
/Library/Logs/.Logs/corevideosd or ~/Library/Logs/.Logs/corevideosd
/Library/LaunchAgents/com.google.plugins.plist or ~/Library/LaunchAgents/com.google.plugins.plist
/Library/Parallels/.cfg or /~Library/Parallels/.cfg
/tmp/crunzip.temp.XXXXXX (passed to mktemp(), so the actual file will vary)
/Library/Hash/.Hashtag/.hash (or ~/Library/Hash/.Hashtag/.hash)
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – OnceanLotus , APT)