Cybersecurity researchers have linked a new spate of malware assaults to the hacking group APT32, which has suspected links to Vietnam’s government.

The newly identified strain of malware has been engineered to install backdoor access on systems that have been compromised, and is aimed at users of Apple Mac operating systems.

Analysing a malicious campaign

Analysts at cybersecurity software firm, Trend Micro, have documented the recent campaign and connected it to APT32, or OceanLotus as it is also sometimes known. Renowned for targeting foreign firms operating within Vietnam across a wide arrange of industries, including construction, research and media, the aims of APT32 are not entirely clear. Experts believe the group’s motivations involve using espionage tactics to assist or provide an advantage to Vietnamese enterprises.

The backdoor in macOS presents hackers with access to a compromised device, which enables them to spy or rummage through its contents to acquire sensitive data and confidential contracts. Specialists at Trend Micro have connected the campaign to APT32 due to certain similarities in the malware’s behaviour and code compared to samples employed previously by the hacker gang.

Attack vectors employed by OceanLotus

Attacks are typically instigated by simple phishing emails that urge target recipients to execute a Zip file masquerading as Microsoft Word document. The malware is able to circumnavigate detection by anti-malware and antivirus solutions, by employing special characters deeply embedded in the labyrinth of multiple Zip folders.

When the bogus file starts to run, a word document will not appear, so potentially if the victim is paying attention, they may identify the threat. However even by this point, the malicious package is already functioning on the infected device and changing access and authorisation permissions so it can instruct the device to load up the second stage of the malware. This then initiates the third stage of the malicious installation which effectively downloads the hacker’s backdoor onto the vulnerable system. This method of splitting the malware payloads into three different stages has been designed by APT32 to aid with avoiding detection.

As with previous versions of this specific malware, the new attack attempts to gather system data and establishes a backdoor that enables hackers to spy and download sensitive data files. It also empowers them to upload extra malware if necessary. At present, experts believe this type of malware is in a continual state of active development.

Researchers at Trend Micro commented:

“Threat groups such as OceanLotus are actively updating malware variants in attempts to evade detection and improve persistence.”

To avoid this recent attack aimed at macOS users, enterprise personnel must be educated to spot phishing emails and how to handle them. They should be urged to report suspicious messages to IT security teams and be warned against downloading attachments or clicking on any links included in message copy in such communications. Additionally, enterprises should employ the latest security patches and software updates for operating systems as soon as they become available, to ensure devices are never left unprotected from known vulnerabilities waiting to be exploited.