OceanLotus (Malware Family)

OceanLotus

Actor(s): APT32

VTCollection

According to PcRisk, Research shows that the OceanLotus 'backdoor' targets MacOS computers. Cyber criminals behind this backdoor have already used this malware to attack human rights and media organizations, some research institutes, and maritime construction companies.

The OceanLotus backdoor is distributed via a fake Adobe Flash Player installer and a malicious Word document (it is likely that threat authors distribute the document via malspam emails).

References

2021-05-20 ⋅ Github (microsoft) ⋅ Microsoft
Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares
STRRAT OceanLotus BabyShark Elise Revenge RAT WastedLocker Zebrocy

2021-02-24 ⋅ Github (AmnestyTech) ⋅ Amnesty International
Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders
OceanLotus Cobalt Strike KerrDown

2020-12-10 ⋅ Facebook ⋅ Mike Dvilyanski, Nathaniel Gleicher
Taking Action Against Hackers in Bangladesh and Vietnam
OceanLotus

2020-12-02 ⋅ SentinelOne ⋅ Phil Stokes
APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique
OceanLotus

2020-11-27 ⋅ Trend Micro ⋅ Luis Magisa, Steven Du
New MacOS Backdoor Connected to OceanLotus Surfaces
OceanLotus APT32

2019-10-08 ⋅ ⋅ m4n0w4r
Một sample nhắm vào Bank ở VN
OceanLotus

2019-04-09 ⋅ ESET Research ⋅ Romain Dumont
OceanLotus: macOS malware update
OceanLotus

2018-04-04 ⋅ Trend Micro ⋅ Jaromír Hořejší
New MacOS Backdoor Linked to OceanLotus Found
OceanLotus

2017-06-22 ⋅ Palo Alto Networks Unit 42 ⋅ Danny Tsechansky, Erye Hernandez
The New and Improved macOS Backdoor from OceanLotus
OceanLotus

2017-05-14 ⋅ FireEye ⋅ Nick Carr
Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations
OceanLotus Cuegoe KOMPROGO SOUNDBITE APT32

2016-02-17 ⋅ AT&T Cybersecurity ⋅ Eddie Lee
OceanLotus for OS X – an Application Bundle Pretending to be an Adobe Flash Update
OceanLotus

Yara Rules

[TLP:WHITE] osx_oceanlotus_auto (20201014 | autogenerated rule brought to you by yara-signator)

rule osx_oceanlotus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48 8b85f0feffff 48 8d78e8 48 3b3d???????? 7417 }
            // n = 7, score = 200
            //   48                   | dec                 eax
            //   8b85f0feffff         | mov                 eax, dword ptr [ebp - 0x110]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]
            //   48                   | dec                 eax
            //   3b3d????????         |                     
            //   7417                 | je                  0x19

        $sequence_1 = { 8b85b8fdffff 48 8d78e8 48 3b3d???????? }
            // n = 5, score = 200
            //   8b85b8fdffff         | mov                 eax, dword ptr [ebp - 0x248]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]
            //   48                   | dec                 eax
            //   3b3d????????         |                     

        $sequence_2 = { 48 8b85b8fdffff 48 8d78e8 48 }
            // n = 5, score = 200
            //   48                   | dec                 eax
            //   8b85b8fdffff         | mov                 eax, dword ptr [ebp - 0x248]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]
            //   48                   | dec                 eax

        $sequence_3 = { 8b85b8fdffff 48 8d78e8 48 }
            // n = 4, score = 200
            //   8b85b8fdffff         | mov                 eax, dword ptr [ebp - 0x248]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]
            //   48                   | dec                 eax

        $sequence_4 = { 8b85f0feffff 48 8d78e8 48 3b3d???????? 7417 }
            // n = 6, score = 200
            //   8b85f0feffff         | mov                 eax, dword ptr [ebp - 0x110]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]
            //   48                   | dec                 eax
            //   3b3d????????         |                     
            //   7417                 | je                  0x19

        $sequence_5 = { e8???????? 48 8b85f8feffff 48 8d78e8 48 3b3d???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b85f8feffff         | mov                 eax, dword ptr [ebp - 0x108]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]
            //   48                   | dec                 eax
            //   3b3d????????         |                     

        $sequence_6 = { 89de e8???????? 48 8b8508ffffff 48 8d78e8 }
            // n = 6, score = 200
            //   89de                 | mov                 esi, ebx
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b8508ffffff         | mov                 eax, dword ptr [ebp - 0xf8]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]

        $sequence_7 = { e8???????? 48 8b85f8feffff 48 8d78e8 48 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b85f8feffff         | mov                 eax, dword ptr [ebp - 0x108]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]
            //   48                   | dec                 eax

        $sequence_8 = { 48 89de e8???????? 48 8b8508ffffff 48 8d78e8 }
            // n = 7, score = 200
            //   48                   | dec                 eax
            //   89de                 | mov                 esi, ebx
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b8508ffffff         | mov                 eax, dword ptr [ebp - 0xf8]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]

        $sequence_9 = { 90 55 48 89e5 5d e9???????? }
            // n = 6, score = 200
            //   90                   | nop                 
            //   55                   | push                ebp
            //   48                   | dec                 eax
            //   89e5                 | mov                 ebp, esp
            //   5d                   | pop                 ebp
            //   e9????????           |                     

    condition:
        7 of them and filesize < 308528
}

[TLP:WHITE] osx_oceanlotus_w0 (20170519 | OceanLotus XOR decode function)

rule osx_oceanlotus_w0 {
    meta:
        author = "AlienVault Labs"
        type = "malware"
        description = "OceanLotus XOR decode function"
        source = "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus"
        malpedia_version = "20170519"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $xor_decode = { 89 D2 41 8A ?? ?? [0-1] 32 0? 88 ?? FF C2 [0-1] 39 ?A [0-1] 0F 43 D? 4? FF C? 48 FF C? [0-1] FF C? 75 E3 }
    condition:
        $xor_decode
}

[TLP:WHITE] osx_oceanlotus_w1 (20170519 | OceanLotus constants)

rule osx_oceanlotus_w1 {
    meta:
        author = "AlienVault Labs"
        type = "malware"
        description = "OceanLotus constants"
        source = "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus"
        malpedia_version = "20170519"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $c1 = { 3A 52 16 25 11 19 07 14 3D 08 0F }
        $c2 = { 0F 08 3D 14 07 19 11 25 16 52 3A }
    condition:
        any of them
}

Download all Yara Rules

OceanLotus Propose Change

References

Yara Rules

OceanLotus