Pierluigi Paganini February 18, 2016

In May 2015, the Chinese security firm Qihoo 360 published a report on a Trojan called OceanLotus that was being used since 2012 for APT attacks in the Chinese market.

The APT attacks based  on the OceanLotus focused on government organizations, research institutes, maritime agencies, and companies specializing in other activities.

At the time were found four different versions of the Trojan, and one of them was specifically designed to target OS X systems.

AlienVault analyzed two of these samples available for OS X (one of them being probably an early version). A more recent variant was analyzed and was updated to Virustotal on February 8 and had a zero detection rate, at the time I was writing this post the OceanLotus malware was detected by 11 / 55 antivirus solutions, including ESET-NOD32, Ikarus, F-Secure and Bitdefender.

As the title of the article says, the Trojan is disguised as an Abode Flash Player update.

The developers of the Trojan used a XOR encryption because with this technique its more difficult to detected. The commands used by the API shows that developers are familiar with OS X commands, and this makes sense because OnceanLotus has a specific version of OS X.

When a system is infected, OnceanLotus prepares an agent to attempt to contact his command and control (C&C) servers. When getting a connection with the C&C servers, the Trojan will collect information from the infected system, including device name, username, and a unique ID, and determines if the victim has root privileges.

The malware has the capability to perform many tasks, like opening application bundles, returning information about a file or path, getting a list of recently opened documents, obtaining information on active windows, capturing screenshots, downloading files from a URL, executing files, killing a process, and deleting files.

“The OS X version of OceanLotus is clearly a mature piece of malware that is written specifically for OS X. The use of OS X specific commands and APIs is evidence that the authors are intimately familiar with the operating system and have spent quite a bit of time customizing it for the OS X environment. Similar to other advanced malware, the use of obfuscation and indirection within the binary are an indication that the authors want to protect their work, make it difficult for others to reverse engineer, and reduce detection rates. The fact that VirusTotal still shows a zero detection rate for this threat shows they are succeeding at the latter.” States the analysis published by Alien Vault.

I will also leave you here the Indicator of compromise ( IOC):

Hashes:

ROL3 encoded .en_icon: 9cf500e1149992baae53caee89df456de54689caf5a1bc25750eb22c5eca1cce

ROL3 decoded .en_icon: 3d974c08c6e376f40118c3c2fa0af87fdb9a6147c877ef0e16adad12ad0ee43a

ROL3 encoded .DS_Stores: 4c59c448c3991bd4c6d5a9534835a05dc00b1b6032f89ffdd4a9c294d0184e3b

ROL3 decoded .DS_Stores: 987680637f31c3fc75c5d2796af84c852f546d654def35901675784fffc07e5d

EmptyApplication: 12f941f43b5aba416cbccabf71bce2488a7e642b90a3a1cb0e4c75525abb2888

App bundle

83cd03d4190ad7dd122de96d2cc1e29642ffc34c2a836dbc0e1b03e3b3b55cff

Another older variant that only communicates with the unencrypted C2

a3b568fe2154305b3caa1d9a3c42360eacfc13335aee10ac50ef4598e33eea07

C2s:

kiifd[.]pozon7[.]net

shop[.]ownpro[.]net

pad[.]werzo[.]net

Dropped Files:

/Library/.SystemPreferences/.prev/.ver.txt or ~/Library/.SystemPreferences/.prev/.ver.txt

/Library/Logs/.Logs/corevideosd or ~/Library/Logs/.Logs/corevideosd

/Library/LaunchAgents/com.google.plugins.plist or ~/Library/LaunchAgents/com.google.plugins.plist

/Library/Parallels/.cfg or /~Library/Parallels/.cfg

/tmp/crunzip.temp.XXXXXX (passed to mktemp(), so the actual file will vary)

~/Library/Preferences/.fDTYuRs

/Library/Hash/.Hashtag/.hash (or ~/Library/Hash/.Hashtag/.hash)

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs – OnceanLotus , APT)

[adrotate banner=”5″]

[adrotate banner=”13″]