A new macOS backdoor has been discovered.
Per antivirus company Trend Micro, a new macOS backdoor has been located. The backdoor is said to be linked to OceanLotus, also known as “APT32”, which is a hacking group that started being active in 2017. The group has launched attacks against human rights organizations, media organizations, research institutes, and maritime construction firms.
Trend Micro identified this backdoor as “OSX_OCEANLOTUS.D”. It targets Mac that have the Perl programming language installed. It was first found in a malicious Word document, and it most likely spread through email.
The document goes under the filename “2018-PHIẾU GHI DANH THAM DỰ TĨNH HỘI HMDC 2018.doc,” which to “2018-REGISTRATION FORM OF HMDC ASSEMBLY.” Upon opening the document, the file poses as a registration form for an HDMC event. HDMC is a Vietnam organization that advertises national independence and democracy.
Once the document has been received and opened, it will advise the user to activate Word macros, which then extracts a file named “theme0.xml”, which is a Mach-O 32-bit executable file extracted to /tmp/system/word/theme/syslogd.
It’s unknown as to just how dangerous this file is, but the following steps are recommended to keep your Mac free of viruses:
Don’t open emails from senders you don’t know.
If you do open one, don’t click on any URL or download any attachment.
Back up your Mac regularly.
Use antivirus software such as Bitdefender, Malwarebytes and Avira.
If you do receive a Word document in the email, and it looks like something you want/need, you could open it via Pages on iCloud.com. Then, copy and paste it into a new document, or export it as a Word document from there. Keep macros turned off in Word, because that is a big vector for malware.
As always, be careful out there, don’t download anything you know in your gut to be suspicious and we’ll have additional details about this as they become available.
Via The Mac Observer and Trend Micro