The vast majority of Mac users have nothing to fear

Feb 22, 2016 14:00 GMT  ·  By

For some peculiar reason, the Mac version of the OceanLotus trojan detected in May 2015 has not been blackballed by any antivirus engine, even if it exhibits quite a few dangerous features.

The discovery has been made by AlienVault security researchers, who note that, ten months after Qihoo 360 researchers blew the lid off this malware campaign, none of the security products listed in VirusTotal has been detecting the Mac version of this trojan.

In its report, Qihoo 360 researchers say they discovered four versions of the OceanLotus trojan, one of which was specifically created to attack Apple computers. The trojan has been used mainly against Chinese targets, most of which government organizations, educational institutes and local companies specialized in maritime commerce.

There were some similarities between the Mac and Windows versions

Just like the Windows variants, the Mac version of OceanLotus also used fake Adobe Flash installers to infect the user's machine.

This version comes with support for both i386 and x86_64 Mac architectures, and once installed, it also gains boot persistence by setting up its own Launch Agent.

Of course, as with any modern malware family, the trojan uses a C&C (command and control) server to communicate with its owners, from where it receives instructions on what to steal.

OceanLotus for Mac is a powerful spying utility

The trojan has powerful spying capabilities, being able to get a list of local running apps, a list of recently opened documents, and can capture screenshots of the user's desktop.

Additionally, the trojan's C&C server can tell the malware to download various files, unzip app bundles, launch apps into execution, execute code from a dynamic library, kill processes, and delete files.

"The use of OS X specific commands and APIs is evidence that the authors are intimately familiar with the operating system and have spent quite a bit of time customizing it for the OS X environment," AlienVault's Eddie Lee notes. "The OS X version of OceanLotus is clearly a mature piece of malware that is written specifically for OS X."

Besides the mature version, which closely resembled its Windows variants, AlienVault has also reported seeing a simpler version of OceanLotus, which appeared to be an intermediary, testing-only variant.

Since the AlienVault report, detection rate on VirusTotal has gone from 0/55 to 22/55 (at the time of this article). Since the group that deployed OceanLotus was considered to be an APT targeting victims on a per-attack basis, regular users should be pretty safe from this threat.