{"description": "Enterprise techniques used by OSX_OCEANLOTUS.D, ATT&CK software S0352 (v3.1)", "name": "OSX_OCEANLOTUS.D (S0352)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can also use use HTTP POST and GET requests to send and receive C2 information.(Citation: Trend Micro MacOS Backdoor November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.002", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) scrambles and encrypts data using AES256 before sending it to the C2 server.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) has used AES in CBC mode to encrypt collected data when saving that data to disk.(Citation: Unit42 OceanLotus 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) uses PowerShell scripts.(Citation: TrendMicro MacOS April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) uses a shell script as the main executable inside an app bundle and drops an embedded base64-encoded payload to the /tmp folder.(Citation: Trend Micro MacOS Backdoor November 2020)(Citation: sentinelone apt32 macOS backdoor 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) uses Word macros for execution.(Citation: TrendMicro MacOS April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.001", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can create a persistence file in the folder /Library/LaunchAgents.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543.004", "comment": "If running with root permissions, [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can create a persistence file in the folder /Library/LaunchDaemons.(Citation: TrendMicro MacOS April 2018)(Citation: sentinelone apt32 macOS backdoor 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) has used `zlib` to compress all data after 0x52 for the custom TCP C2 protocol.(Citation: Unit42 OceanLotus 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) has the ability to upload files from a compromised host.(Citation: Trend Micro MacOS Backdoor November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) uses a decode routine combining bit shifting and XOR operations with a variable key that depends on the length of the string that was encoded. If the computation for the variable XOR key turns out to be 0, the default XOR key of 0x1B is used. This routine is also referenced as the `rotate` function in reporting.(Citation: Unit42 OceanLotus 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) encrypts data sent back to the C2 using AES in CBC mode with a null initialization vector (IV) and a key sent from the server that is padded to 32 bytes.(Citation: Unit42 OceanLotus 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1222", "showSubtechniques": true}, {"techniqueID": "T1222.002", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) has changed permissions of a second-stage payload to an executable via chmod.(Citation: sentinelone apt32 macOS backdoor 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) sets the main loader file\u2019s attributes to hidden.(Citation: TrendMicro MacOS April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) has a command to delete a file from the system. [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) deletes the app bundle and dropper after execution.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)(Citation: Unit42 OceanLotus 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can use the touch -t command to change timestamps.(Citation: Trend Micro MacOS Backdoor November 2020)(Citation: 20 macOS Common Tools and Techniques)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) has a command to download and execute a file on the victim\u2019s machine.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) uses file naming conventions with associated executable locations to blend in with the macOS TimeMachine and OpenSSL services. Such as, naming a LaunchAgent plist file `com.apple.openssl.plist` which executes [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) from the user's `~/Library/OpenSSL/` folder upon user login.(Citation: Unit42 OceanLotus 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) has disguised it's true file structure as an application bundle by adding special characters to the filename and using the icon for legitimate Word documents.(Citation: Trend Micro MacOS Backdoor November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1095", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) has used a custom binary protocol over port 443 for C2 traffic.(Citation: Unit42 OceanLotus 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) has used a custom binary protocol over TCP port 443 for C2.(Citation: Unit42 OceanLotus 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) has a variant that is packed with UPX.(Citation: ESET OceanLotus macOS April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.(Citation: TrendMicro MacOS April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1129", "comment": "For network communications, [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) loads a dynamic library (`.dylib` file) using `dlopen()` and obtains a function pointer to execute within that shared library using `dlsym()`.(Citation: Unit42 OceanLotus 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.001", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) uses the command xattr -d com.apple.quarantine to remove the quarantine file attribute used by Gatekeeper.(Citation: Trend Micro MacOS Backdoor November 2020)(Citation: 20 macOS Common Tools and Techniques)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) has used the ioreg command to gather some of this information.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)(Citation: 20 macOS Common Tools and Techniques)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can collect the network interface MAC address on the infected host.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) checks a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as `sysctl hw.model` and the kernel boot time.(Citation: Unit42 OceanLotus 2017)(Citation: ESET OceanLotus macOS April 2019)(Citation: 20 macOS Common Tools and Techniques)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by OSX_OCEANLOTUS.D", "color": "#66b1ff"}]}