Security News > 2020 > November > Vietnam-Linked Cyberspies Use New macOS Backdoor in Attacks
Trend Micro's security researchers have identified a new macOS backdoor that they believe is used by the Vietnamese threat actor OceanLotus.
A document used in the campaign features a Vietnamese name, which has led researchers to believe that users from Vietnam have been targeted with the new malware.
Within the app bundle, the security researchers discovered two files, namely a shell script that performs multiple malicious routines, and a Word file that is displayed during execution.
The shell script is responsible for deleting the file quarantine attribute for the files in the bundle and for removing the file quarantine attribute of files in the system, copying the Word document to a temp directory and opening it, extracting the second-stage binary and changing its access permissions, then deleting the malware app bundle and the Word document from the system.
Similar to older OceanLotus samples, the backdoor can perform various operations based on received commands: get file size, fetch and run file, remove/download/upload file, exit, run commands in the terminal, and get configuration information.