In May 2015, scientists at Qihoo 360 published a document on OceanLotus which contains details about malware targeting Chinese infrastructure. In this document or report, there is a statement about a piece of malware which targets Mac operating systems. A similar malware was also uploaded to VirusTotal a few months before. Peculiarly, as of 8th Feb 2016, none of the 55 antivirus solutions used by VirusTotal are detecting the example as malicious. Intrinsically, we thought it would be engrossing to take a closer look at the Mac OS X version of OceanLotus.
OceanLotus for Mac operating system is packaged as a bundle of application simulation to be an Adobe Flash update. Although there are some other files in the bundle such as FlashUpdate.app/ Contents/Resources/en.lproj /.en_icon, FlashUpdate.app/Contents/MacOS/ EmptyApplication, FlashUpdate.app/Contents/Resources/en.lproj/.DS_Stores.
As mentation, EmptyApplication is a universal binary which can run on both x86_64 and i386 architectures. It is a reasonably easy app which ROL3 decodes the hidden files .DS_Stores and .en_icon then run them. For bafflement, EmptyApplication uses XOR encryption with xc key to change strings within the binary.
Later decoding .en_icon, EmptyApplication composes it to a temporary directory with pboard name. Pboard stands for presumably to mimic the OS X paste board daemon and used to execute the binary. EmptyApplication then deletes itself, decodes .DS_Stores and composes the decoded binary as EmptyApplication by renewing the original EmptyApplication executable. At last, the new EmptyApplication is relaunched with a call to NSTask.launch() method. The decrypted .DS_Stores binary does almost the same thing as the primary EmptyApplication, exclude it does not look for .DS_Stores.
The decoded .en_icon file is the main Trojan. It has anti debugging abilities which hold the connection to the command and also control the servers. As we will talk about later, the Trojan takes advantage of several Mac system specific commands and API calls, that’s why it is clear that this Trojan was tailor made for Mac OS X instead of a port from another system.
Once again, most strings in the binary are XOR encrypted but this binary uses multiple keys and the keys themselves are also XOR encrypted. By which, the Trojan decrypt several XOR keys. It is very interesting to note that the code which setup the decryption keys is executed earlier the main entry point by using C++ static constructors.