According to the security researchers of Trend Micro, the backdoor is most likely linked to the hacker group OceanLotus. The hacker group is responsible for launching high-profile attacks against media organizations, maritime construction films, human rights organizations etc.

How the backdoor works

The backdoor embedded in the MS Word is written in Perl. That’s why MacOS computers with Perl modules installed are more susceptible to the attack. The backdoor is written in “OSX_OCEANLOTUS.D” file where the macros are scatted by using decimal ASCII code.

The dropper is quite powerful. The strings in the dropper are encrypted. It uses an RSA256 key to encrypt the strings and encoded using a custom base64 encoding system.

Backdoor functions

The backdoor comes up with 2 important functions.

• infoClient – Checks the status of the computer (computer name, Mac OS X version, x86/x64 architecture, owner’s name etc.)
• runHandle – Handles all the backdoor operations.

The information the backdoor collects is sent to the hacker(s) via the C&C server. The data is encrypted in several steps.

How to stay safe

The malware is spreading via phishing campaigns. Be careful from phishing. It’s an old, yet effective method that can easily fool anyone. You need to exercise caution for staying safe.

• Use a unique, personal email address.
• Don’t share your email address with any untrusted label.
• Use spam filters and anti-spam plugins (if available)
• Don’t open any attachments from untrusted sources. Scan the file using VirusTotal

Did you know that there are some outdated techs we still use today? Check out some of the most successful outdated techs.

The post MacOS Backdoor Spreading Through MS Word Document appeared first on Linux Windows and android Tutorials.