MacOS Backdoor Spreading Through MS Word Document

Windows Articles

The best lightweight web browsers

Hi! We currently spend a lot of time in front of the computer connected to the Internet. In fact, it is a...

Install Snowflake (SSH Client) on Ubuntu 20.04

Linux system administrators on servers have a big job behind them. Thanks to them, many of the services or tasks that an...

How to install Trisquel 9.0

A few days ago we talked about the release of Trisquel 9.0, this distro is based on the Ubuntu 18.04 LTS packages....

Learn about the Ramnit threat and how to remove it from Windows 10.

Hello! There are computer security threats that can appear spontaneously. But, then they may not last long. On the other hand, malware...

How to get the Nextcloud desktop client on Linux?

Hello friends. We already know how to install a Nextcloud server but now the client is missing. So in this post, you...
Mel Khamlichi
Mel Khamlichihttp://www.osradar.com
Founder of Osradar, from Amsterdam Netherlands

Backdoors are such tricks that inject a malware into a system for the further privilege in the system. Recently, a new MacOS backdoor has been identified that is being spread through MS Word documents. The infected document is being spread through phishing campaigns. Everyone should be aware of such attempts.

According to the security researchers of Trend Micro, the backdoor is most likely linked to the hacker group OceanLotus. The hacker group is responsible for launching high-profile attacks against media organizations, maritime construction films, human rights organizations etc.

How the backdoor works

The backdoor embedded in the MS Word is written in Perl. That’s why MacOS computers with Perl modules installed are more susceptible to the attack. The backdoor is written in “OSX_OCEANLOTUS.D” file where the macros are scatted by using decimal ASCII code.

The dropper is quite powerful. The strings in the dropper are encrypted. It uses an RSA256 key to encrypt the strings and encoded using a custom base64 encoding system.

Backdoor functions

The backdoor comes up with 2 important functions.

  • infoClient – Checks the status of the computer (computer name, Mac OS X version, x86/x64 architecture, owner’s name etc.)
  • runHandle – Handles all the backdoor operations.

The information the backdoor collects is sent to the hacker(s) via the C&C server. The data is encrypted in several steps.

How to stay safe

The malware is spreading via phishing campaigns. Be careful from phishing. It’s an old, yet effective method that can easily fool anyone. You need to exercise caution for staying safe.

  • Use a unique, personal email address.
  • Don’t share your email address with any untrusted label.
  • Use spam filters and anti-spam plugins (if available)
  • Don’t open any attachments from untrusted sources. Scan the file using VirusTotal

Did you know that there are some outdated techs we still use today? Check out some of the most successful outdated techs.

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

The best lightweight web browsers

Hi! We currently spend a lot of time in front of the computer connected to the Internet. In fact, it is a...

Install Snowflake (SSH Client) on Ubuntu 20.04

Linux system administrators on servers have a big job behind them. Thanks to them, many of the services or tasks that an...

How to install Trisquel 9.0

A few days ago we talked about the release of Trisquel 9.0, this distro is based on the Ubuntu 18.04 LTS packages....

Learn about the Ramnit threat and how to remove it from Windows 10.

Hello! There are computer security threats that can appear spontaneously. But, then they may not last long. On the other hand, malware...

How to get the Nextcloud desktop client on Linux?

Hello friends. We already know how to install a Nextcloud server but now the client is missing. So in this post, you...
x