CyberWire Daily - New MacOS backdoor linked to OceanLotus. [Research Saturday]
Episode Date: April 28, 2018Researchers at Trend Micro recently discovered a backdoor targeting MacOS users that they believe is the work of the OceanLotus threat group, an organization previously thought to have launched target...ed attacks against human rights organizations, media organizations, research institutes, and maritime construction firms. Mark Nunnikhoven is VP of Cloud Research at Trend Micro, and he explains what they've learned. https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Trend Micro Research runs a number of ingest activities.
That's Mark Nunnikovan. He's the Vice President of Cloud Research at Trend Micro.
That's Mark Nunnikhoven. He's the vice president of cloud research at Trend Micro.
The research we're discussing today is titled New macOS Backdoor Linked to Ocean Lotus Found.
So we get product alerts. So when a Trend Micro product is detected, new malware, it sends it up.
We run joint research with other academic researchers. We have agreements with law enforcement,
with a number of different areas around the world to try to pull in as much threat intelligence as
we can. And as a result of that, we see new samples like this particular document and
backdoor for macOS pop up on our radar. So let's walk through this one. How does it work? How does one find
it on their system? This comes through and it's starting off as a malicious Word document. So we
see this quite common in that a Word document is downloaded most commonly through email.
And as soon as the user opens up this Word document, it has this red screen with a big
warning that says, you need to activate, you know, compatibility mode to make sure that your version
of Word can read this document. And of course, to enable compatibility mode, you have to run a macro
and that's an embedded piece of code that's in this document. And in this case, it's malicious code. So we're supposing that probably this Word document came through a
phishing attack to start? Yeah, yeah. We see, based on our research numbers, depending on the month,
we see anywhere from about 85 to 92% of all attacks are starting through phishing.
It is the number one vector to kick off an attack by far.
And it's interesting, in your research, you published a screen grab of this alert,
and it really is innocuous. I mean, it makes you think that, oh, it's just an older version,
nothing to see here, just something procedural and move on.
Yeah, and I wish I had better news on that front, but cybercriminals are very, very good
at researching what works for a hook, what works in a user interface so that you don't think twice.
It's not uncommon for people to receive documents that have either compatibility issues or need
additional functions like macros enabled in a business setting. So they're designing this to be
a blip on the radar, if that. Ideally,
it's something you don't think twice about. You just click and go.
They hook you and you enable your macros. So what happens next?
In the document, in this macro is a whole bunch of obfuscated code. So they've tried to make this
code very hard to detect. But when you unpack it all, it ends up being a very simple Perl script.
Now, Perl is still installed by default on everyone's Mac OS.
So it's a safe way for an attacker to send a set of system commands.
And these commands are designed to install the backdoor.
So this is what we call a dropper.
This is the code.
It executes as Perl script, detecting whether or not it has root access or if it just got normal user permissions. And then it tries to dig into the system as much as it can and hide its tracks.
And so let's walk through that. What exactly does it do? How does it hide itself?
So the way it starts off is by doing that permissions detection, writing a couple files locally so that it can start to execute.
And then once it's in there, it starts to walk through, sort of feel itself out.
So it's launched, the dropper has launched itself and it looks to persist is its first thing.
So it's looking to set up a startup, a launch daemon or a launch agent so that if you reboot your system, that it'll come right back online.
So that's step one is persistence.
It wants to make sure if it's doing this hard work that it can continue to be on the system as it goes. And it doesn't need root access to do that?
No. So within macOS, you've got two layers, like in pretty much any Unix-type system.
There's multiple layers of persistence.
You can have things at a system level that restart.
You can also have things specifically in your user account that restart.
If you go through user preferences as a Mac user, you can look at what's called login items, and those boot up every time.
login items, and those boot up every time. It's not uncommon for tools, something as simple as Skype, like we're using now, or Spotify, to set itself to load at your preference on reboot.
And this is a functionality that the attacker's taking advantage of. Obviously, they'd prefer
the system level load, but if they can only get user, that's what they'll take.
I see. So the code within the dropper, the strings within the dropper, they're encrypting those, yes?
Yes.
So when the strings that start within the dropper, they're in the Word document, they're obfuscated.
So they're not necessarily encrypted.
They're just hidden from detection so that if your email gateway is looking for malware, it might not find it because they literally encode
every single character in that Perl script differently. They set it up separately. So you
have to reassemble it. Once it's established and once the dropper has gotten the malware in the
back door in place, then it actually generates a unique encryption key so that your infected
system and the attacker's back end can have private and secure
communications. This dropper is installed. Where do we go from here? Yeah, once the dropper is
installed, then it pulls down its main implant. So the idea of the dropper is to bridge that
Word document into the actual malware. So the dropper does the installation, it sets things up, and then
it downloads the malware tool. Now, the malware tool is pretty straightforward. It's basically a
remote access tool. So this allows the attacker to look at basic system properties that you have
running on your system. So it profiles your system, and it also allows the attacker to run commands on your system and that's by far the most important piece but that first piece of finding out who's
running whose system that is is also really interesting is the suspicion that they want to
find out who you are to see if you're worth taking any farther you got it in one that's absolutely it
so the group behind this malware
that's been attributed to this malware has been tracked for quite a while. First activities were
starting to pop up in 2013 and 2014. And a number of different security companies and research teams
have been looking at this attacker. They've gone under various names from Ocean Lotus to APT32.
They've gone under various names from Ocean Lotus to APT32.
And they're generally politically motivated.
So it's not uncommon for them to verify a target before going any further.
And one of the big challenges we see in the Mac world is by default, if you have a single user or the first user on a Mac,
when you enter your full name, that actually shows up as your Mac's name. So you'll
see this sometimes if you're on a conference Wi-Fi or if you're on a hotel Wi-Fi, you'll see
different people's Macs show up. So you'd see, you know, Mark Nunnicoven's MacBook, because that's
the default. So the attacker actually gets that name right out of the gate with that initial
profiling. So they can have a good idea of whether they want to continue to the next phase.
So let's go into some of the technical details of this backdoor.
What's going on with it?
Yeah, and this is where it gets interesting in how simple it is.
And this speaks to sort of the efficiency of attackers,
is they tend not to build anything more than they need.
And we've already seen with the initial macro in the Word document that they're comfortable with scripting in languages like
Perl, which again are enabled by default on macOS. So after this malware sets up its encryption key
so that it has that unique and secure connection back to the command and control server for the attacker. It just allows them to run very simple commands on the remote system.
So they've got it set up where they can do some basic scripting levels, things like,
you know, get file sizes, download and execute a file or run a command in a terminal or remove
a file and get some additional info or heartbeat.
So to check to make sure the system is still online.
And that doesn't sound like a lot of tools,
but it actually enables quite a lot of functionality from the attacker's point of view.
What sort of functionality are we talking about here?
Can you give us some examples?
For sure, yeah.
So the easiest and most obvious is that they can upload files from the infected Mac to the attacker.
So if they know that there is a Word document or an Excel spreadsheet or something like that, they can upload that to themselves.
So they can steal information directly off this system.
The sort of innocuous one is the run a command in the terminal as well as download and execute a file.
Now, as soon as they can run a command on the
terminal, they can run anything that's running locally on the Mac. And by default, we already
have mentioned that Perl is running as a scripting language. Python is also available to them. So
that means they can easily transfer small size programs that let them do anything as far as
monitor the keyboard strokes if they wanted to.
They can look at the screens, what's being displayed right there.
They can search your drive.
They can expand to see what kind of network you're connected to.
They can use the computer like you can sitting in front of it.
And to be clear here, they can install and execute this software
without requiring any sort of administrator authorization?
Yeah, and they're going to run into the same challenges that you would as a user. If they
try to do some protected commands, they will need to elevate the privileges. But since they already
have the ability to run anything like a standard user, that means any other vulnerabilities that
are out there for that version of Mac OS, they can exploit and
escalate. But in a scenario like this, where there's a political motivation, a lot of the time
we see the attackers don't actually require elevated privileges because what they're after
here is very much information. Normally, a cyber criminal will be after resources or something they
can convert into money. So, you know, they'll try to either
take your data to sell it in the underground or hold your data ransom to sell it back to you.
Or lately, we've seen a huge burst in cryptocurrency minoring where they're using your CPU to generate
cryptocurrency for them. In this case, with a politically motivated attacker, they're normally
looking for information. So if we, you know, put our bad guy hat on and looked at, you know, the Cyber Wire podcast, we'd be saying, you know, they're looking
for upcoming interviews and contact information. They're looking for content schedules. They're
looking for anything that's unique to your activities that they can leverage for their gain.
Hey, back off, man.
I know. I said put my bad guy hat on.
I know. I said put my bad guy hat on.
Fair enough.
What sort of communications is going on between them and the command and control servers?
Is there anything of note between those two points of contact?
Yeah, so the interesting thing here is that because, and I keep saying that simply because it's a fascinating case in simplicity, I find.
It's a highly effective, highly simple setup here. But because the attacker has set up an encrypted channel between the infected system and the back end, we can see the amount of traffic, but we can't necessarily pull out the specific actions that they're taking.
So we know there's a general heartbeat to ensure that the system's phoning home every once in a while and saying, hey, I'm still here.
I'm infected.
You can do stuff with me. But it really depends on the interactivity. This is
not an automated system. So where we see ransomware as a highly automated crime, cryptojacking highly
automated, this is a hands on attack. So there's very little general traffic until there's an
attacker behind their keyboard, probing the system and running different commands on the system,
and then you see an increase in encrypted traffic between the two.
Now, in terms of folks protecting themselves against this,
is this something that a standard antivirus software installation would tend to detect?
Eventually, yes.
So the challenge here is sort of the mutation of this event, of this document, where they're getting that initial foothold.
So it's a matter of, you know, are you ahead of the curve with your security tools versus the attacker?
But really, there's a couple main areas you want to focus on.
And that's the first one's always phishing.
You need to do strong email protection.
So that's using some security tools on the email gateway.
But that's also training users to question when they click on a link or attachment if they're prompted to take action.
So in this case, you click on your attachment and it's prompting you to take action.
It's saying, hey, it's not compatible. Enable macros.
Well, don't. I know that's easy to say, but realistically, macros are something that can be useful.
But if you're getting email documents that are prompting you continuously to use macros, more often than not, that's an attack.
So it's a user education piece here, as well as with the security controls on the gateway.
And of course, your standard antivirus and endpoint protection is going to help out.
Now, this is a macOS specific instance here.
Have you tracked, is there a Windows equivalent or are they hitting that side as well?
With this particular threat actor, with this group, we haven't seen a targeted Windows one yet,
but we have seen that out in the wild. We've seen variations on this attack. We've seen very
similar attacks where it's a Word document asking for additional attack. We've seen very similar attacks where it's a Word document asking
for additional content. We've seen PowerPoint documents that are asking you to click on links
to load movies that are actually malicious attacks. But I think it's also telling in sort
of the targeted nature of this attack that it is going after macOS. We know traditionally, and
the norm here is for criminals to go for the biggest bang for
their buck and based on market share um and the type of data being used in corporate settings
windows tends to be a better investment for a criminal um so that they're the fact that they're
going after mac means that they know their target audience um their target set of victims is
predominantly mac users which is why they've customized this tool.
Yeah, I mean, I think it's interesting. And I think it's fair to say that on the Mac side,
a lot of Mac users sort of hold their heads high and consider themselves to be so much less
vulnerable. But I think this points out that that might not be the case.
Yeah, I think that's a fair statement. In general, Mac,
you know, there is differences in the way the OS is built around security and user access.
But the history of Mac being, you know, giant quotes, less vulnerable is really one of economics.
Criminals are in this for the money. They're going to go where they can make the most money,
the easiest. And for the longest time,
Windows and its variants have had the majority of corporate market share and the majority of
home user market share, which is why that's where criminals were focusing their efforts.
It was an easy return. Now that Mac is gaining in market share and in specific target audiences
like this one, we do see Mac being exploited more and more frequently.
Now, it strikes me that this is a pretty targeted attack here. These folks know who they're going
after. How do you think this research that you've done should inform those who are outside of that
bullseye? How can they use this information to inform their general security approach?
Yeah, I think if you're outside of this bullseye, it's a wake-up call that cyber criminals have
shifted their tactics to one of luring you in either through phishing or through web site prompts
to take an action that looks like something innocuous. So we're all inundated
by warnings throughout the day of various things that, you know, you need to change.
This browser is not supported or in this case, you know, this version of Word isn't supported.
And there's enough complexity around just using computers that cyber criminals have gotten wise
to that. So I think the general advice to people is very much be aware when you're prompted
to take an action that seems out of sequence. It should be an extremely rare event that your
version of Word doesn't work with a document that you're sent. Word has only fractured the format
once in the past 30 years, and you're sort of before that point or after that point.
So it's rare that you should see these kind of prompts, even though it looks completely
legitimate. So you should be aware of that as a user. And anytime you're asked to load
different software or enable an additional feature or to log in again, we see that quite
often with web attacks where you click on a link and it'll say, log into your Gmail credentials
again. That should raise the sort of spidey sense so that you should question what's really going on.
Our thanks to Mark Nunnikovan from Trend Micro for joining us.
The research is titled, New macOS Backdoor Linked to Ocean Lotus Found.
You can read it on the Trend Micro website.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. Thanks for listening.