Research Saturday 4.28.18
Ep 33 | 4.28.18

New MacOS backdoor linked to OceanLotus.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges, for the benefit of societies around the world. Learn more at

Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Mark Nunnikhoven: [00:01:42] Trend Micro Research runs a number of ingest activities.

Dave Bittner: [00:01:46] That's Mark Nunnikhoven. He's the Vice President of Cloud Research at Trend Micro. The research we're discussing today is titled "New MacOS Backdoor Linked to OceanLotus Found."

Mark Nunnikhoven: [00:01:58] So, we get product alerts, so when a Trend Micro product has detected new malware, it sends it up. We run joint research with other academic researchers, we have agreements with law enforcement, with a number of different areas around the world, to try to pull in as much threat intelligence as we can. And, as a result of that, we see new samples, like this particular document and backdoor for MacOS, pop up on our radar.

Dave Bittner: [00:02:28] So, let's walk through this one. How does it work? How does one find it on their system?

Mark Nunnikhoven: [00:02:33] This comes through, and it's starting off as a malicious Word document. So, we see this quite common, in that a Word document is downloaded, most commonly through email, and as soon the user opens up this Word document, it has this red screen with a big warning that says, "You need to activate compatability mode to make sure that your version of Word can read this document." And of course, to enable compatability mode, you have to run a macro, and that's an embedded piece of code that's in this document, and in this case it's malicious code.

Dave Bittner: [00:03:12] So, we're supposing that probably this Word document came through a phishing attack to start?

Mark Nunnikhoven: [00:03:18] Yeah, yeah. We see, based on our research numbers, depending on the month, we see anywhere from about 85 to 92 percent of all attacks are starting through phishing. It is the number one vector to kick off an attack, by far.

Dave Bittner: [00:03:31] And it's interesting, in your research you published a screen grab of this alert, and it really is innocuous. I mean, it makes you think that, oh, it's just an older version, nothing to see here, just something procedural, and move on.

Mark Nunnikhoven: [00:03:47] Yeah, and I wish I had better news on that front, but cyber criminals are very, very good at researching what works for a hook, what works in a user interface, so that you don't think twice. It's not uncommon for people to receive documents that have either compatibility issues, or need additional functions like macros enabled in a business setting. So they're designing this to be, you know, a blip on the radar, if that. Ideally, it's something you don't think twice about, you just click and go.

Dave Bittner: [00:04:14] They hook you, and you enable your macros. What happens next?

Mark Nunnikhoven: [00:04:19] In the document, in this macro, is a whole bunch of obfuscated code. So, they've tried to make this code very hard to detect. But, when you unpack it all, it ends up being a very simple Perl script. Now, Perl is still installed by default on everyone's MacOS, so it's a safe way for an attacker to send a set of system commands. And these commands are designed to install the backdoor, so this is what we call a dropper. This is the code, it executes as this Perl script detecting whether or not it has a root access, or if it just got normal user permissions, and then it tries to dig into the system is as much as it can and hide its tracks.

Dave Bittner: [00:05:02] And so, let's walk through that. What exactly does it do? How does it hide itself?

Mark Nunnikhoven: [00:05:06] So, the way it starts off is by doing that permissions detection, writing a couple of files locally so that it can start to execute, and then once it's in there, it starts to walk through, sort of feel itself out. So, it's launched the, the dropper has launched itself, and it looks to persist, is its first thing. So it's looking to start up a launch daemon or a launch agent, so that if you reboot your system, that it will come right back online. So that's step one, is persistence. It wants to make sure if it's doing this hard work, that it can continue to be on the system as it goes.

Dave Bittner: [00:05:44] And it doesn't need root access to do that?

Mark Nunnikhoven: [00:05:46] No. So, within MacOS, you've got two layers, like in pretty much any Unix-type system. There's multiple layers of persistence. You can have things at a system-level that restart. You can also have things specifically in your user account that restart. If you go through user preferences as a Mac user, you can look at your, what's called "login items," and those boot up every time.

Mark Nunnikhoven: [00:06:08] It's not uncommon for tools, you know, something as simple as Skype, like we're using now, or Spotify, to set itself to load at your preference on reboot. And this is a functionality that the attacker is taking advantage of. Obviously, they'd prefer the system-level load, but, if they can only get user, that's what they'll take.

Dave Bittner: [00:06:29] I see. So, the code within the dropper, the strings within the dropper, they're encrypting those, yes?

Mark Nunnikhoven: [00:06:35] Yes. So, the strings that start within the dropper, in the Word document, they're obfuscated. So they're not necessarily encrypted, they're just hidden from detection, so that if your email gateway is looking for malware, it might not find it, because they literally encode every single character in that Perl script differently. They set it up separately, so that you have to reassemble it.

Mark Nunnikhoven: [00:06:58] Once it's established, and once the dropper has gotten the malware and the backdoor in place, then it actually generates a unique encryption key, so that your infected system and the attacker's back-end can have private and secure communications.

Dave Bittner: [00:07:15] This dropper is installed. Where do we go from here?

Mark Nunnikhoven: [00:07:18] Yeah, once the dropper's installed, then it pulls down its main implant. So, the idea of the dropper is to bridge that Word document into the actual malware. So the dropper does the installation, it sets things up, and then it downloads the malware tool.

Mark Nunnikhoven: [00:07:34] Now, the malware tool is pretty straightforward. It's basically a remote access tool. So, this allows the attacker to look at basic system properties that you have running on your system. So, it profiles your system, and it also allows the attacker to run commands on your system, and that's by far the most important piece. But that first piece, of finding out who's running, whose system that is, is also really interesting.

Dave Bittner: [00:08:00] Is the suspicion that they want to find out who you are to see if you're worth taking any farther?

Mark Nunnikhoven: [00:08:07] You got it in one. That's absolutely it. So, the group behind this malware, that's been attributed to this malware, has been tracked for quite a while. First activities were starting to pop up in 2013 and 2014, and a number of different security companies and research teams have been looking at these, this attacker. They've gone under various names, from OceanLotus to APT32. And they're generally politically motivated, so it's not uncommon for them to verify a target before going any further.

Mark Nunnikhoven: [00:08:39] And one of the big challenges we see in the Mac world is, by default, if you have a single user or the first user on a Mac, when you enter your full name that actually shows up is your Mac's name. So, you'll see that sometimes if you're on a conference Wi-Fi, or if you're on a hotel Wi-Fi, you'll see different people's Macs show up. So you'd see, you know, "Mark Nunnikhoven's MacBook," because that's the default. So, the attacker actually gets that name right out of the gate with that initial profiling. So, they can have a good idea of whether they want to continue to the next phase.

Dave Bittner: [00:09:14] So, let's go into some of the technical details of this backdoor. What's going on with it?

Mark Nunnikhoven: [00:09:19] Yeah, and this is where it gets interesting in how simple it is. And this, you know, speaks to sort of the efficiency of attackers, as they tend not to build anything more than they need. And we've already seen, with the initial macro in the Word document, that they're comfortable with scripting in languages like Perl, which, again, are enabled by default on MacOS.

Mark Nunnikhoven: [00:09:41] So, after this malware sets up its encryption key so that it has that unique and secure connection back to the command-and-control server for the attacker, it just allows them to run very simple commands on the remote system. So, they've got it set up where they can do some basic scripting-level things like, you know, get file sizes, download and execute a file, or run a command in a terminal, or remove a file, and get some additional info or a heartbeat to check to make sure the system's still online. And that doesn't sound like a lot of tools, but it actually enables quite a lot of functionality from the attacker's point of view.

Dave Bittner: [00:10:21] What sort of a functionality are we talking about here? Can you give us some examples?

Mark Nunnikhoven: [00:10:25] For sure, yeah. So, the easiest and most obvious is that they can upload files from the infected Mac to the attacker. So, if they know that there is a Word document, or an Excel spreadsheet, or something like that, they can upload that to themselves. So they can steal information directly off the system.

Mark Nunnikhoven: [00:10:42] The sort of innocuous one is the run a command in the terminal, as well as download and execute a file. Now, as soon as they can run a command on the terminal, they can run anything that's running locally on the Mac, and by default, we already have mentioned that Perl is running as a scripting language. Python is also available to them. So that means they can easily transfer small-sized programs that let them do anything as far as monitor the keyboard strokes if they wanted to, they can look at the screens, what's being displayed right there. They can search your drive, they can expand to see what kind of network you're connected to. They can use the computer like you can sitting in front of it.

Dave Bittner: [00:11:24] And, to be clear here, they can install and execute this software without requiring any sort of administrator authorization?

Mark Nunnikhoven: [00:11:32] Yeah, and they're going to run into the same challenges that you would, as a user. If they tried to do some protected commands, they will need to elevate the privileges. But, since they already have the ability to run anything like a standard user, that means any other vulnerabilities that are out there for that version of MacOS they can exploit and escalate.

Mark Nunnikhoven: [00:11:52] But in a scenario like this, where there's a political motivation, a lot of the time we see the attackers don't actually require elevated privileges, because what they're after here is very much information. Normally, a cyber criminal will be after resources, or something they can convert into money. So, you know, they'll try to either take your data to sell on the underground, or hold your data ransom to sell it back to you, or lately we've seen a huge burst in cryptocurrency mining, where they're using your CPU to generate cryptocurrency for them.

Mark Nunnikhoven: [00:12:24] In this case, with a politically motivated attacker, they're normally looking for information. So, if we put our bad-guy hat on and looked at, you know, the CyberWire podcast, we'd be saying, you know, they're looking for upcoming interviews and contact information, they're looking for content schedules, they're looking for anything that's unique to your activities that they can leverage for their gain.

Dave Bittner: [00:12:45] Hey, back off, man. (laughs).

Mark Nunnikhoven: [00:12:46] I know, I said I put my bad-guy hat on!

Dave Bittner: [00:12:50] All right, fair enough. What sort of communications is going on between them and the command-and-control servers? Is there anything of note between those two points of contact?

Mark Nunnikhoven: [00:13:02] Yeah, so the interesting thing here is that, because--and I keep saying that, simply because it's a fascinating case in simplicity, I find, it's a highly-effective, highly-simple setup here--but because the attacker has set up an encrypted channel between the infected system and the back-end, we can see the amount of traffic but we can't necessarily pull out the specific actions that they're taking. So we know there is a general heartbeat to ensure that the system is, you know, phoning home every once in a while and saying, hey, I'm still here, I'm infected, you can do stuff with me.

Mark Nunnikhoven: [00:13:32] But it really depends on the interactivity. This is not an automated system, so where we see ransomware as a highly-automated crime, crypto-jacking, highly-automated. This is a hands-on attack. So, there's very little general traffic until there's an attacker behind their keyboard probing the system and running different commands on the system, and then you see an increase in encrypted traffic between the two.

Dave Bittner: [00:13:56] Now, in terms of folks protecting themselves against this, is this something that a standard, you know, antivirus software installation would tend to detect?

Mark Nunnikhoven: [00:14:06] Eventually, yes. So, the challenge here is sort of the mutation of this event, of this document, and where they're getting that initial foothold. So, it's a matter of, you know, are you ahead of the curve with your security tools versus the attacker?

Mark Nunnikhoven: [00:14:21] But really there's a couple main areas you want to focus on. And that's, the first one's always phishing. You need to do strong email protection. So, that's using some security tools on the email gateway, but that's also training users to question, when they click on a link or attachment, if they're prompted to take action.

Mark Nunnikhoven: [00:14:39] So, in this case, you click on your attachment, and it's prompting you to take action. It's saying, hey, it's not compatible, enable macros. Well, don't. I know that's easy to say, but, realistically, macros are something that can be useful, but if you're getting email documents that are prompting you continuously to use macros, more often than not that's an attack. So, it's a user education piece here, as well as with the security controls on the gateway, and of course your standard antivirus and endpoint protection is going to help out.

Dave Bittner: [00:15:08] Now, this is a MacOS-specific instance here. Have you tracked, is there a Windows equivalent? Are they hitting that side as well?

Mark Nunnikhoven: [00:15:18] With this particular threat actor, with this group, we haven't seen a targeted Windows one, yet. But we have seen that out in the wild. We've seen variations on this attack. We've seen very similar attacks, where it's a Word document asking for additional content. We've seen PowerPoint documents that are asking you to click on links to load movies that are actually malicious attacks.

Mark Nunnikhoven: [00:15:41] But I think it's also telling, in sort of the targeted nature of this attack, that it is going after MacOS. We know, traditionally, and the norm here, is for criminals to go for the biggest bang for their buck. And based on market share and the type of data being used in corporate settings, Windows tends to be a better investment for a criminal. So, the fact that they're going after Mac means that they know their target audience, their target set of victims, is predominantly Mac users, which is why they've customized this tool.

Dave Bittner: [00:16:12] Yeah, I mean, I think it's interesting, and I think it's fair to say that, on the Mac side, a lot of Mac users sort of hold their heads high and consider themselves to be so much less vulnerable, but I think this points out that that might not be the case.

Mark Nunnikhoven: [00:16:28] Yeah, and I think that's a fair statement. In general, Mac, you know, there is differences in the way the OS is built, around security and user access. But the history of Mac being, you know, giant quotes, less vulnerable, is really one of economics. Criminals are in this for the money. They're going to go where they can make the most money the easiest, and, for the longest time, Windows and its variants have had the majority of corporate market share and the majority of home-user market share, which is why that's where criminals were focusing their efforts. It was an easy return. Now that Mac is gaining in market share, and in specific target audiences like this one, we do see Mac being exploited more and more frequently.

Dave Bittner: [00:17:12] It strikes me that this is a pretty targeted attack here, like, that these folks know who they're going after. How do you think this research that you've done should inform those who are outside of that bullseye? How can they use this information to inform their general security approach?

Mark Nunnikhoven: [00:17:32] Yeah, I think if you're outside of this bullseye, it's a wakeup call that cyber criminals have shifted their tactics to one of luring you in, either through phishing or through website prompts, to take an action that looks like something innocuous. So, we are all inundated by warnings throughout the day, of various things that, you know, you need to change, this browsers not supported, or in this case, you know, this version of Word isn't supported.

Mark Nunnikhoven: [00:18:00] And there's enough complexity around just using computers that cyber criminals have gotten wise to that. So, I think the general advice to people is very much be aware when you're prompted to take an action that seems out of sequence. It should be an extremely rare event that your version of Word doesn't work with a document that you're sent. Word has only fractured the format once in the past thirty years, and you're sort of before that point or after that point. So, it's rare that you should see these kind of prompts, even though it looks completely legitimate.

Mark Nunnikhoven: [00:18:37] So, you should be aware of that, as a user, and anytime you're asked to load different software, or enable an additional feature, or to log in again--we see that quite often with web attacks, where you click on the link and it'll say, "log into your Gmail credentials again"--that should raise the sort of Spidey-sense that you should question what's really going on.

Dave Bittner: [00:18:59] Our thanks to Mark Nunnikhoven from Trend Micro for joining us. The research is titled "New MacOS Backdoor Linked to OceanLotus Found." You can read it on the Trend Micro website.

Dave Bittner: [00:19:11] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at

Dave Bittner: [00:19:19] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:19:27] The CyberWire Research Saturday is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. It's produced by Pratt Street Media. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.