A new version of an existing macOS backdoor exploit believed to be tied to a nation-state hacking group is once again targeting users in Vietnam. The update malware can provide access to a compromised machine, allowing them to access and steal sensitive information and surveil the targeted victim.
A new report by Trend Micro security analysts says the malware arrives as an app bundled in a ZIP archive. It uses the icon for a Word document file as a disguise, attempting to pass itself off as a legitimate document file. It avoids detection by anti-malware software through obfuscation techniques, such as using special characters in its app bundle name.
Once it’s on a machine, the malware launches a series of payloads that change access permission and install a backdoor onto the Mac. The backdoor allows the bad guys to snoop around, download user files, glean information from the computer, and upload additional malicious software.
The updated backdoor is believed to be connected to a hacking group called OceanLotus, or APT32, that’s thought to have links to the Vietnamese government.
OceanLotus was responsible for targeted attacks against organizations from industries such as media, research, and construction. Recently they have also been discovered by researchers from Volexity to be using malicious websites to propagate malware.
The code being used in the backdoor shows close similarities to previous samples discovered by Trend Micro in 2018. The new backdoor is believed to targeting users in Vietnam, due to its Vietnamese filename and due to the previous backdoors targeting users in the country.
“Threat groups such as OceanLotus are actively updating malware variants in attempts to evade detection and improve persistence,” the researchers wrote.
While the malware appears to be targeting users in a specific geographical region, it is unlikely to pose a high risk to the majority of macOS users around the globe. However, users should still avoid clicking links or opening attachments from email senders they don’t know or trust. macOS users are also strongly advised to keep their Macs up to date with the latest security patches.