OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

OceanLotus malware attacks China

Published May 31st, 2015 at 8:11 AM EDT , modified May 31st, 2015 at 8:12 AM EDT

On Friday, Chinese security researchers at Qihoo 360’s SkyEye Labs released a paper describing new malware they named OceanLotus. Unfortunately, this paper is written in Chinese, and Google’s far-from-perfect translation of the page is a difficult read. It is clear, however, that there is a Mac variant of this malware.

Qihoo 360 says that this malware appears to be attacking important areas of Chinese infrastructure, specifically, “Chinese government, research institutes, maritime agencies, sea construction, shipping enterprises.” It seems to be doing this through two different attack vectors: spear phishing and water-holing.

These terms may not mean a lot to some readers, so let’s look at what they mean. Spear phishing is similar to an ordinary phishing attack – ie, an e-mail message designed to trick the reader into taking some action desired by the hacker. However, unlike a typical phishing e-mail, which is usually spam that gets blasted out to large numbers of people, a spear phishing e-mail is sent to very specific, targeted individuals or organizations. Another example of this was the CallMe malware, which involved maliciously-crafted Microsoft Word documents sent to Tibetan activists.

Water-holing refers to the idea of the watering hole in the African savannah, where predators will lie in wait for prey to come to them. This attack involves compromising a website that the target individuals or organizations are known to visit frequently, and using that site to distribute the malware. This has also been seen on the Mac, with a hack of the iPhoneDevSDK website used to target a Java vulnerability and install the Pintsized malware.

OceanLotus Flash Player alertIf I’m understanding Qihoo 360’s document correctly, the Mac variant of this malware has been distributed through a watering hole attack involving a fake Adobe Flash Player update notice. People who fall for this trick will end up downloading an app named FlashUpdate, which appears to install an executable file cleverly named “.DS_Stores” (very similar to a perfectly normal and very common Mac metadata file named “.DS_Store”). Where this hidden .DS_Stores file is placed and how/whether it maintains persistence (ie, stays running) is not clear.

The malware connects to one of three command & control servers, and can execute any number of commands according to instructions received. The document refers to the following capabilities:

Function Command
 Directory listing ls [path]
 Enter the directory cd [path]
 Get the current directory Pwd
 Delete file rm <file_path>
 Copy files cp <srcppath> <dstpath>
 Move files mv <srcpath> <dstpath>
 Get process information p {info: pid | ppid | name}
 Kill the process kill <pid>
 Run cmd <command system>
 Crawl Communication capture <saved_path>
 Show file cat path [num_byte]
 Download the file download fromURLsavePath

Essentially, this describes a backdoor that can do anything it wants to an infected Mac, including execution of arbitrary Unix commands and the download and installation of any other malicious software. The malware is also described as being able to modify browser behavior, control what apps are running and modify its behavior if running in a Parallels virtual machine (a common malware trick to prevent analysis by malware researchers).

Other Mac malware researchers are searching for copies of the malware, but as far as I know, thus far without success. At this point, there’s no other information about this malware other than what Qihoo 360 has said publicly. This means we still really don’t know how widespread this malware may be, or who else it might be affecting, or if there are any other methods of distribution.

Unfortunately, this also means that defenses against this malware may be nonexistent. If the malware is signed with a valid Apple Developer ID, it will be able to get past all of the anti-malware features built into Mac OS X. Some will probably point out that the fake Flash Player trick is an old one, and say that nobody still falls for that. However, I would strongly disagree, as I have personally seen Mac adware use exactly the same trick in recent months, and have seen plenty of people who fell for it. Although security-minded people know all about this trick and would never fall for it, average folks are usually not aware of it and don’t see the danger.

Hopefully, more information will come to light in the coming weeks. However, with targeted attacks like this, it can sometimes take a long time for security researchers to get their hands on samples. It would not be unexpected, for a variety of reasons, for Qihoo 360 to sit on its samples and not share them with other companies, who could use them to improve competing anti-malware products.

Tags: , ,

4 Comments

  • James says:

    Yeah, the Fake Flash Player trick definitely still works. As a matter of fact, I saw someone ask about it on your May 20th post. If anything ever asks you to update flash player, go straight to the source, Adobe.com and download it. If it still says it, reboot your computer. If it still says it, get away from that website.

  • Austin says:

    Have there been any reported cases in the US yet, and have there been any more developments on finding the exact method of infection?

    • Thomas says:

      No on both counts. Someone other than Qihoo 360 may, of course, have samples and they are simply not sharing them.

  • someone says:

    happened to me was able to delete it with anti-virus software the only way to see the difference of this malware is that the colors have more contrast on the download part

This post is more than 90 days old and has been locked. No further comments are allowed.