SYMBOLCOMMON_NAMEaka. SYNONYMS
osx.oceanlotus (Back to overview)

OceanLotus

Actor(s): APT32


There is no description at this point.

References
2019-10-08m4n0w4r
@online{m4n0w4r:20191008:mt:a14c60d, author = {m4n0w4r}, title = {{Một sample nhắm vào Bank ở VN}}, date = {2019-10-08}, url = {https://tradahacking.vn/%C4%91%E1%BB%A3t-r%E1%BB%93i-t%C3%B4i-c%C3%B3-%C4%91%C4%83ng-m%E1%BB%99t-status-xin-d%E1%BA%A1o-tr%C3%AAn-fb-may-qu%C3%A1-c%C5%A9ng-c%C3%B3-v%C3%A0i-b%E1%BA%A1n-nhi%E1%BB%87t-t%C3%ACnh-g%E1%BB%ADi-cho-537b19ee3468}, language = {Vietnamese}, urldate = {2020-03-11} } Một sample nhắm vào Bank ở VN
OceanLotus
2019-04-09ESET ResearchRomain Dumont
@online{dumont:20190409:oceanlotus:eb8a99f, author = {Romain Dumont}, title = {{OceanLotus: macOS malware update}}, date = {2019-04-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/}, language = {English}, urldate = {2019-11-14} } OceanLotus: macOS malware update
OceanLotus
2018-04-04Trend MicroJaromír Hořejší
@online{hoej:20180404:new:16fe860, author = {Jaromír Hořejší}, title = {{New MacOS Backdoor Linked to OceanLotus Found}}, date = {2018-04-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/}, language = {English}, urldate = {2020-01-13} } New MacOS Backdoor Linked to OceanLotus Found
OceanLotus
2017-06-22Palo Alto Networks Unit 42Erye Hernandez, Danny Tsechansky
@online{hernandez:20170622:new:a5cf2c6, author = {Erye Hernandez and Danny Tsechansky}, title = {{The New and Improved macOS Backdoor from OceanLotus}}, date = {2017-06-22}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/}, language = {English}, urldate = {2019-12-20} } The New and Improved macOS Backdoor from OceanLotus
OceanLotus
2017-05-14FireEyeNick Carr
@online{carr:20170514:cyber:0ac720f, author = {Nick Carr}, title = {{Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations}}, date = {2017-05-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html}, language = {English}, urldate = {2019-12-20} } Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations
OceanLotus Cuegoe KOMPROGO SOUNDBITE APT32
2016-02-17AT&T CybersecurityEddie Lee
@online{lee:20160217:oceanlotus:b309baf, author = {Eddie Lee}, title = {{OceanLotus for OS X – an Application Bundle Pretending to be an Adobe Flash Update}}, date = {2016-02-17}, organization = {AT&T Cybersecurity}, url = {https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update}, language = {English}, urldate = {2020-01-09} } OceanLotus for OS X – an Application Bundle Pretending to be an Adobe Flash Update
OceanLotus
Yara Rules
[TLP:WHITE] osx_oceanlotus_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule osx_oceanlotus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48 8b85f0feffff 48 8d78e8 48 3b3d???????? 7417 }
            // n = 7, score = 200
            //   48                   | dec                 eax
            //   8b85f0feffff         | mov                 eax, dword ptr [ebp - 0x110]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]
            //   48                   | dec                 eax
            //   3b3d????????         |                     
            //   7417                 | je                  0x19

        $sequence_1 = { 8b85b8fdffff 48 8d78e8 48 3b3d???????? }
            // n = 5, score = 200
            //   8b85b8fdffff         | mov                 eax, dword ptr [ebp - 0x248]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]
            //   48                   | dec                 eax
            //   3b3d????????         |                     

        $sequence_2 = { 48 8b85b8fdffff 48 8d78e8 48 }
            // n = 5, score = 200
            //   48                   | dec                 eax
            //   8b85b8fdffff         | mov                 eax, dword ptr [ebp - 0x248]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]
            //   48                   | dec                 eax

        $sequence_3 = { 8b85b8fdffff 48 8d78e8 48 }
            // n = 4, score = 200
            //   8b85b8fdffff         | mov                 eax, dword ptr [ebp - 0x248]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]
            //   48                   | dec                 eax

        $sequence_4 = { 8b85f0feffff 48 8d78e8 48 3b3d???????? 7417 }
            // n = 6, score = 200
            //   8b85f0feffff         | mov                 eax, dword ptr [ebp - 0x110]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]
            //   48                   | dec                 eax
            //   3b3d????????         |                     
            //   7417                 | je                  0x19

        $sequence_5 = { e8???????? 48 8b85f8feffff 48 8d78e8 48 3b3d???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b85f8feffff         | mov                 eax, dword ptr [ebp - 0x108]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]
            //   48                   | dec                 eax
            //   3b3d????????         |                     

        $sequence_6 = { 89de e8???????? 48 8b8508ffffff 48 8d78e8 }
            // n = 6, score = 200
            //   89de                 | mov                 esi, ebx
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b8508ffffff         | mov                 eax, dword ptr [ebp - 0xf8]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]

        $sequence_7 = { e8???????? 48 8b85f8feffff 48 8d78e8 48 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b85f8feffff         | mov                 eax, dword ptr [ebp - 0x108]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]
            //   48                   | dec                 eax

        $sequence_8 = { 48 89de e8???????? 48 8b8508ffffff 48 8d78e8 }
            // n = 7, score = 200
            //   48                   | dec                 eax
            //   89de                 | mov                 esi, ebx
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b8508ffffff         | mov                 eax, dword ptr [ebp - 0xf8]
            //   48                   | dec                 eax
            //   8d78e8               | lea                 edi, [eax - 0x18]

        $sequence_9 = { 90 55 48 89e5 5d e9???????? }
            // n = 6, score = 200
            //   90                   | nop                 
            //   55                   | push                ebp
            //   48                   | dec                 eax
            //   89e5                 | mov                 ebp, esp
            //   5d                   | pop                 ebp
            //   e9????????           |                     

    condition:
        7 of them and filesize < 308528
}
[TLP:WHITE] osx_oceanlotus_w0   (20170519 | OceanLotus XOR decode function)
rule osx_oceanlotus_w0 {
    meta:
        author = "AlienVault Labs"
        type = "malware"
        description = "OceanLotus XOR decode function"
        source = "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus"
        malpedia_version = "20170519"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $xor_decode = { 89 D2 41 8A ?? ?? [0-1] 32 0? 88 ?? FF C2 [0-1] 39 ?A [0-1] 0F 43 D? 4? FF C? 48 FF C? [0-1] FF C? 75 E3 }
    condition:
        $xor_decode
}
[TLP:WHITE] osx_oceanlotus_w1   (20170519 | OceanLotus constants)
rule osx_oceanlotus_w1 {
    meta:
        author = "AlienVault Labs"
        type = "malware"
        description = "OceanLotus constants"
        source = "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus"
        malpedia_version = "20170519"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $c1 = { 3A 52 16 25 11 19 07 14 3D 08 0F }
        $c2 = { 0F 08 3D 14 07 19 11 25 16 52 3A }
    condition:
        any of them
}
Download all Yara Rules