MacOS backdoor appears to be update of tool previously used by Vietnam-linked group

Researchers at Trend Micro say a newly discovered MacOS backdoor uses tactics previously associated with the group known as APT32 or OceanLotus.
Macbook Air, Apple, MacOS
(LibreShot / Martin Vorel)

The hacking group known as APT32 or OceanLotus appears to have a new version of a tool used to infiltrate MacOS computers, according to researchers with cybersecurity company Trend Micro.

The malicious software arrives as a .zip file that tries to disguise itself with a Microsoft Word icon, and it is engineered to evade detection by antivirus software, Trend Micro says. Once activated, the malware serves as a backdoor for other payloads that can exfiltrate data from an infected machine.

It’s the latest sign of expanded or upgraded tactics from APT32, which is known for espionage campaigns that target Southeast Asia. Recent discoveries attributed to the group include efforts to use imitation news sites to spy on users and sometimes infect their machines with malware, and using the Google Play Store to distribute apps surreptitiously loaded with spyware.

In this case, the MacOS backdoor appears to aimed at computers in Vietnam itself.


“The attackers behind this sample are suspected to target users from Vietnam since the document’s name is in Vietnamese and the older samples targeted the same region before,” write researchers Luis Magisa and Steven Du.

The filename cited by Trend Micro includes the phrase “ALL tim nha Chi Ngoc Canada.” In Vietnamese, “tìm nhà Chị Ngọc” roughly translates to “find Mrs. Ngoc’s house,” the report notes.

Once activated, the backdoor inserts a second-stage payload that clears the way for yet another piece of malware that has close similarities to a sample previously cited by Trend Micro in 2018. The malware can upload files to a command and control server and can download and execute more files, the researchers report.

Malware for Apple’s MacOS for laptops and desktop computers generally receives less attention than malicious software aimed at operating systems with larger global footprints, such as Microsoft’s Windows, Apple’s mobile iOS or the Android system. But malicious hackers do develop ways to break into Macs, and most major antivirus companies make scanning tools for the operating system.

Latest Podcasts