OceanLotus popularly known to be APT-C-00 and APT32 been observed mainly targeting government and corporate entities in Southeast Asia. The newly discovered sample shows similarities in dynamic behavior and code, clearly suggesting a link to the threat actor.

A document used in the campaign features a Vietnamese name, which has led researchers to believe that users from Vietnam have been targeted with the new malware.

The observed sample masquerades as a Word document but it is an app bundled in a ZIP archive, which features special characters in its name, in an attempt to evade detection.

The app bundle, seen by the operating system as an unsupported directory type, meaning that the ‘open’ command is used to execute it. Within the bundle discovered two files, namely a shell script that performs multiple malicious routines, and a Word file that is displayed during execution.

The shell script is responsible for deleting the file quarantine attribute for the files in the bundle and for removing the file quarantine attribute of files in the system, copying the Word document to a temp directory and opening it, extracting the second-stage binary and changing its access permissions, then deleting the malware app bundle and the Word document from the system. Inturn it’s responsible for dropping a third-stage payload, creating persistence, changing the timestamp of the sample using the touch command, and deleting itself.

The third-stage payload contains two main functions, for collecting and sending operating system information to the command and control (C&C) servers, for receiving additional communication information, and for performing backdoor activities.

Similar to older OceanLotus samples, the backdoor can perform various operations based on received commands: get file size, fetch and run file, remove/download/upload file, exit, run commands in the terminal, and get configuration information.