Hackers are targeting MacOS users with this updated malware

A newly discovered form of malware is targeting Apple MacOS users in a campaign which researchers say is tied to a nation-state backed hacking operation.

The campaign has been detailed by cybersecurity analysts at Trend Micro who’ve linked it to OceanLotusalso known as APT32 – a hacking group which is thought to have links to the Vietnamese government.

OceanLotus is known to target foreign organisations working in Vietnam including media, research and construction and while the motivation for this isn’t fully understood, the aim is thought to be to using espionage to aid Vietnamese-owned companies.

The MacOS backdoor provides the attackers with a window into the compromised machine, enabling them to snoop on and steal confidential information and sensitive business documents.

The security company’s researchers have linked it to OceanLotus because of the similarities in code and behaviour of the malware, compared with samples used in previous campaigns by the group.

The attacks begin with phishing emails which attempt to encourage victims to run a Zip file disguised as a Word document. It evades detection by anti-virus scanners by using special characters deep inside a series of Zip folders.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

The attack could potentially give itself away if users are paying attention because when the malicious file is run, a Microsoft Word document doesn’t appear. 

However, at this stage an initial payload is already working on the machine and it changes access permissions in order to load a second-stage payload which then prompts the installation of a third-stage payload – which downloads the backdoor onto the system. By installing the malware across different stages like this OceanLotus aims to evade detection.

Like older versions of the malware, this attack aims to collect system information and creates a backdoor allowing the hackers to snoop on and download files, as well as upload additional malicious software to the system if required. It’s thought that the malware is still actively being developed.