Hacking Group Targets Mac Systems For Data Theft

Matthew Broersma,

Mac users shouldn’t be lulled into a false sense of security, warns Trend Micro

Apple’s Mac computers have been targeted by a hacking group based in Asia that appears to have used targeted emails to spread malware on the platform.

The OceanLotus group, also known as APT32, SeaLotus and Cobalt Kitty, has in the past launched attacks against human rights groups, media organisations, research institutes and maritime construction firms, according to computer security firm Trend Micro.

Last year FireEye said it had found the group was targeting foreign corporations involved in Vietnam’s manufacturing, consumer products and hospitality sectors, as well as network security and technology infrastructure companies. The targets included European and US companies.

The current attack aims at Mac computers with the Perl programming language installed, and if successful installs a backdoor aimed at surveillance and stealing data.

Russian skull security hacker © Alexey Solodov ShutterstockInfected Word document

Trend said it had found a malicious Word document was being used to carry out the attacks.

The Vietnamese-language title of the document makes a reference to HDMC, which Trend identified as a political campaign group.

The document contains a malicious macro that’s obscured character by character. When a user launches the file, they’re advised to enable macros so that the code can run.

The payload, written in Perl, extracts an executable file from the Word documents. That file, in turn, installs the backdoor and establishes it in such a way that it’s persistent on the system, launching at startup.

The malware runs two processes, one of which collects information and sends it to a command server, while the other maintains the backdoor.

Trend said users shouldn’t be lulled into a false sense of security by the relative scarcity of attacks that operate on Mac software.

“Malicious attacks targeting Mac devices are not as common as its counterparts, but the discovery of this new macOS backdoor that is presumably distributed via phishing emails calls for every user to adopt best practices for phishing attacks regardless of operating system,” wrote Trend researcher Jaromir Horejsi in an advisory.

Do you know all about security? Try our quiz!