For now, researchers believe that the malware is targeting Vietnamese users.
Many threat actors remain in the cyber-world for specific purposes, sometimes monetary and sometimes other ones. One such actor happens to be OceanLotus aka APT32 which has in the past targeted companies including Toyota and government agencies as well.
In the latest, the Vietnamese actor is back as reported by Trend Micro researchers who have found a sample strikingly similar to that of the threat actor’s previous work naming the current one as “Backdoor.MacOS.OCEANLOTUS.F.”
The malware targeting macOS consists of 3 main stages and shows itself as a Word document using a Vietnamese name on the surface but in actuality is an app that is enclosed within a Zip file to avoid detection.
The zip file in itself on the other hand features a shell script as well which executes the malware while showing the word document to the user.
Explaining how this works, the researchers state in a blog post that,
The operating system sees the app bundle as an unsupported directory type, so as a default action the “open” command is used to exe ..