Backdoors are such tricks that inject a malware into a system for the further privilege in the system. Recently, a new MacOS backdoor has been identified that is being spread through MS Word documents. The infected document is being spread through phishing campaigns. Everyone should be aware of such attempts.
According to the security researchers of Trend Micro, the backdoor is most likely linked to the hacker group OceanLotus. The hacker group is responsible for launching high-profile attacks against media organizations, maritime construction films, human rights organizations etc.
How the backdoor works
The backdoor embedded in the MS Word is written in Perl. That’s why MacOS computers with Perl modules installed are more susceptible to the attack. The backdoor is written in “OSX_OCEANLOTUS.D” file where the macros are scatted by using decimal ASCII code.
The dropper is quite powerful. The strings in the dropper are encrypted. It uses an RSA256 key to encrypt the strings and encoded using a custom base64 encoding system.
The backdoor comes up with 2 important functions.
- infoClient – Checks the status of the computer (computer name, Mac OS X version, x86/x64 architecture, owner’s name etc.)
- runHandle – Handles all the backdoor operations.
The information the backdoor collects is sent to the hacker(s) via the C&C server. The data is encrypted in several steps.
How to stay safe
The malware is spreading via phishing campaigns. Be careful from phishing. It’s an old, yet effective method that can easily fool anyone. You need to exercise caution for staying safe.
- Use a unique, personal email address.
- Don’t share your email address with any untrusted label.
- Use spam filters and anti-spam plugins (if available)
- Don’t open any attachments from untrusted sources. Scan the file using VirusTotal
Did you know that there are some outdated techs we still use today? Check out some of the most successful outdated techs.