Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
69 lines (61 sloc) 3.95 KB
{
"platform": "darwin",
"queries": {
"OceanLotus_12f941f43b5aba416cbccabf71bce2488a7e642b90a3a1cb0e4c75525abb2888_launchagent": {
"query": "select * from launchd where name = 'com.google.plugins.plist';",
"interval": "3600",
"version": "1.4.5",
"description": "OceanLotus Launch Agent (https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update)",
"value": "Artifact used by this malware"
},
"OceanLotus_12f941f43b5aba416cbccabf71bce2488a7e642b90a3a1cb0e4c75525abb2888_dropped_file_1": {
"query": "select * from file, ( select '/Library/Logs/.Logs/corevideosd' ioc union select '/Library/.SystemPreferences/.prev/.ver.txt' ioc union select '/Library/Parallels/.cfg' ioc union select '/Library/Preferences/.fDTYuRs' ioc union select '/Library/Hash/.Hashtag/.hash' ioc union select '/Library/Hash/.hash' ioc) iocs where file.path LIKE '/Users/%/' || ioc OR file.path = iocs.ioc OR file.path LIKE '/tmp/crunzip.temp.%';",
"interval": "3600",
"version": "1.4.5",
"description": "OceanLotus dropped file (https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update)",
"value": "Artifact used by this malware"
},
"OceanLotus_07154b7a45937f2f5a2cda5b701504b179d0304fc653edb2d0672f54796c35f7_launchagent": {
"query" : "select * from launchd where name = 'com.apple.mtmfsd.plist' OR name = 'com.apple.openssl.plist';",
"interval" : "3600",
"version": "1.4.5",
"description" : "(https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/)",
"value" : "Artifact used by this malware"
},
"OceanLotus_07154b7a45937f2f5a2cda5b701504b179d0304fc653edb2d0672f54796c35f7_dropped_file": {
"query" : "select * from file where path = '/Library/TimeMachine/bin/mtmfs' OR path = '~/Library/OpenSSL/0000%';",
"interval" : "3600",
"version": "1.4.5",
"description" : "(https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/)",
"value" : "Artifact used by this malware"
},
"HiddenLotus_f261815905e77eebdb5c4ec06a7acdda7b68644b1f5155049f133be866d8b179_launchagent": {
"query" : "select * from launchd where name = 'com.apple.hidd.shared.plist';",
"interval" : "3600",
"version": "1.4.5",
"description" : "(https://blog.r3doubt.io)",
"value" : "Artifact used by this malware"
},
"HiddenLotus_f261815905e77eebdb5c4ec06a7acdda7b68644b1f5155049f133be866d8b179_dropped_file": {
"query" : "select * from file where path = '~/Library/Containers/com.apple.lateragent/Data/Library/Preferences/hidd';",
"interval" : "3600",
"version": "1.4.5",
"description" : "(https://blog.r3doubt.io)",
"value" : "Artifact used by this malware"
},
"OceanLotus_2bb855dc5d845eb5f2466d7186f150c172da737bfd9c7f6bc1804e0b8d20f22a_launchagent": {
"query" : "select * from launchd where name = 'com.apple.screen.assistantd.plist' OR name = 'com.apple.spell.agent.plist';",
"interval" : "3600",
"version": "1.4.5",
"description" : "(https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/?utm_campaign=shareaholic&utm_medium=twitter&utm_source=socialnetwork)",
"value" : "Artifact used by this malware"
},
"OceanLotus_2bb855dc5d845eb5f2466d7186f150c172da737bfd9c7f6bc1804e0b8d20f22a_dropped_file": {
"query" : "select * from file where path = '/Library/CoreMediaIO/Plug-Ins/FCP-DAL/iOSScreenCapture.plugin/Contents/Resources/screenassistantd' OR path = '~/Library/Spelling/spellagentd';",
"interval" : "3600",
"version": "1.4.5",
"description" : "(https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/?utm_campaign=shareaholic&utm_medium=twitter&utm_source=socialnetwork)",
"value" : "Artifact used by this malware"
}
}
}
You can’t perform that action at this time.