Experts at Malwarebytes warns of a new variant of the macOS OceanLotus backdoor is using an innovative technique to avoid detection,
A few years ago the bad actors realized they could use UNICODE characters that looked like English characters to lead unsuspecting victims to malicious websites. Now, they have figured out how to use a similar trick to fool Apple computers too! Substitute a Roman d for a Latin d in .pdf and you might have a way to fool the computer and the user into running the OceanLotus backdoor.
Wikipedia tells us: UNICODE is an industry standard for “the consistent encoding, representation, and handling of text.” Or put another way, it tries to identify every unique character in all of the languages so we can recognize an English “A” and a Greek “A” as distinct.
The bad actors figured out that to humans, a URL in English characters ‘aaa.com‘ looks the same as ‘aaa.com‘ in Greek characters but computers recognize these as different and will take you to two different websites depending on which you choose.
In 2001, this became known as the internationalized domain name (IDN) homograph attack. Most browsers now have defenses against such attacks, and while there are some creative folks still finding new ways to exploit UNICODE attacks in browsers, it looks like some have moved onto creative file-based attacks.
To make life easier for users, operating systems (OSes) allow users to double-click on a file through the GUI and take it from there. If the file is a document, the appropriate application runs and the requested file is opened. If the file is an application, the OS runs the program. Windows operating systems simply look at the file extension to determine the file type. MacOS is more diligent after a series of cyber attacks in 2009 when bad actors renamed applications to have document file extensions getting through the security controls at the time.
In response, Apple implemented “File Quarantine” in a number of applications that download files from the Internet. Think: Safari, Messages, iChat, and mail. To identify applications, MacOS looks at the file extension, but also looks at the internal structure of files with known document extensions to determine if it is a renamed application. If it appears to be an application, the user receives a warning that the file is “an application downloaded from the Internet” and given the option to avoid opening it.
This all seems like a good plan until some crafty person leveraged the confusion that comes with UNICODE characters to create the OSX HiddenLotus. An attack. In this attack, the victim receives the file “Lê Thu Hà (HAEDC).pdf” which looks like a benign PDF document but MacOS knows better because the internal structure gives it away as an application that could contain malware. Following the File Quarantine procedure, the user will see the popup warning shown above. But wait, it doesn’t have an “unknown extension” it has a PDF extension, doesn’t it?
This is where the UNICODE magic comes in to fool the computer. The “d” in the .pdf file above isn’t from the LATIN character set, it is actually a Roman numeral “d” which looks the same to human eyes but is distinctive to computers. MacOS knows that the Adobe extension .pdf should be opened by a PDF reader like Adobe Reader, but the malware extension .pdf has no defined application. It is internally structured like an application so MacOS follows the procedures and asks the user.
Note: there is nothing magic about “pdf” in this case, other than it looks benign to humans and is unrecognized by MacOS.
“The HiddenLotus dropper is a folder with the proper internal bundle structure to be an application, and it uses an extension of .pdf, where the ‘d’ is a Roman numeral, not a letter. Although this extension looks exactly the same as the one used for Adobe Acrobat files, it’s completely different, and there are no applications registered to handle that extension. Thus, the system will fall back on the bundle structure, treating the folder as an application, even though it does not have a telltale .app extension.” reads the analysis published by MalwareBytes.
“There is nothing particularly special about this .pdf extension (using a Roman numeral ‘d’) except that it is not already in use. Any other extension that is not in use will work just as well”
Any unknown extension will have this behavior. But imagine what happens when the popup box warns that “Lê Thu Hà (HAEDC).pdf is an application downloaded from the Internet. Are you sure you want to open it?”
How many users will notice “application” in that popup box — which is the important part — or will they quickly scan the message and get “are you sure you want to open this PDF file from the Internet?”
Apple has updated the MacOS XProtect anti-malware system to watch for this specific attack and then provide a stronger message to the user. But there are a lot of characters beside the Roman “d” that can be leveraged for similar attacks. The game of cat and mouse continues.
About the author: Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.