A newly discovered and updated version of a type of backdoor malware is again targeting Apple macOS users in Vietnam in what appears as a coordinated hacking operation.
Tech researchers discovered a new and updated version of a backdoor malware that targets Apple macOS users in Vietnam. Trend Micro cybersecurity analysts say the malware attacks appear linked to OceanLotus, an alleged Vietnamese-backed hacking operation, to install backdoors on compromised computer systems.
According to Trend Micro, there are talks that the brainchild of the alleged OceanLotus campaign, also referred to by some as APT32, is a hacking group with suspected links to the Vietnamese government. Rumors indicate that OceanLotus often targets foreign organizations with offices in Vietnam. These include media outfits, non-profit groups, and research entities, as well as construction companies. Industry observers say that the new and updated version of the backdoor malware that attacks Apple macOS users in Vietnam bears the hallmarks of the OceanLotus campaign. Apart from those within the organization, no one understands or knows the motivation of the campaign, though some believe the group uses the information they get from compromised systems to help Vietnamese-owned entities.
The updated Apple macOS backdoor malware, which targets users in Vietnam, provides the attackers with access to the compromised machines, allowing them to scrutinize the computer's contents and steal confidential data, as well as sensitive business documents. Trend Micro cybersecurity researchers say the attacks start with phishing emails that try to encourage targets or victims to launch a Zip file masquerading as a Word document. The malware uses special characters deep within a series of Zip folders to escape detection from antivirus scanners.
While the attack gives itself away, particularly if users are paying close attention, because it does not launch the Microsoft Word app when they click on the file, it will be too late for the user. When users click on the file, it immediately releases an initial payload that modifies access permissions on the machine in preparation for the loading of a second-stage payload. The second payload then launches the installation of the third-stage payload, which will then download the updated Apple macOS backdoor malware on the system. Experts say the updated malware focuses on macOS users in Vietnam. They also said that installing the malware in various stages also makes it difficult for antivirus or Internet security software to detect the alleged OceanLotus.
Like its older versions, the goal of the updated Apple macOS backdoor malware attack is to gather system information and set up a backdoor that allows hackers to spy on and download files of macOS users in Vietnam, as well as upload other malicious software into the system when the need arises. Cybersecurity experts believe the shadowy group responsible for the malicious software continuously develops the malware. "Threat groups such as OceanLotus are actively updating malware variants in attempts to evade detection and improve persistence," cybersecurity experts said. They also linked it to OceanLotus due to code similarities, as well as the behavior of the updated malware.
