macOS malware hit devices with malicious macros

Share this…

The perception about Apple devices is that they are protected from attacks by default which is not true. Information security training researchers at Trend Micro have discovered a new malware which they believe is associated with OceanLotus also known as SeaLotus, Cobalt Kitty, APT 32, and APT-C-00. OceanLotus group is well known for targeting maritime construction firms, research institutes, media and human rights organizations.

Detected as OSX_OCEANLOTUS.D, the malware aims at Mac devices that have Perl programming language installed on the system and is being delivered through phishing emails attached with a Microsoft Word document.


Once information security training experts analyzed the document, noted that its content invites users to register themselves for an event organized by HDMC, a Vietnamese organization that advertises national independence and democracy.

The document contains malicious macros. The email recommends victims to enable macros to read the email and once that’s done the obfuscated macros extract an .XML file from the Word document which is actually an executable file and works as the dropper of the backdoor, which is the final payload.

Also all strings within the dropper including the backdoor are encrypted using a hardcoded RSA256 key. The dropper checks whether it is running as a root or not and based on that it selects where it needs to be installed.

“When the dropper installs the backdoor, it sets its attributes to “hidden” and sets file date and time to random values,” information security training researchers noted. “The dropper will delete itself at the end of the process.”

The backdoor depends on two functions including runHandle and infoClient. The runHandle function is responsible for the backdoor capabilities whereas infoClient collects platform information and sends it to the command and control (C&C) server.

“Malicious attacks targeting Mac devices are not as common as its counterparts, but the discovery of this new macOS backdoor that is presumably distributed via phishing email calls for every user to adopt best practices for phishing attacks regardless of operating system,” concluded.

Now it is unclear how many victims this new malware has found or if it has spread outside Vietnam; information security training professionals said that macOS users should remain vigilant and refrain from clicking links or downloading files from unknown emails. Moreover, use anti-malware software, scan your device daily and keep its operating system updated.