A SOC team should proactively hunt for processes associated with the OceanLotus Mac backdoor dropper as it represents a potential compromise of macOS endpoints, allowing adversaries to establish persistence and exfiltrate data. This behavior is indicative of advanced persistent threats and should be actively investigated in Azure Sentinel to detect and mitigate early-stage malware activity.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(14d)
| where ProcessCommandLine contains "theme0"
| project Timestamp, DeviceId , DeviceName, AccountName , AccountSid , InitiatingProcessCommandLine , ProcessCommandLine
| top 100 by Timestamp
id: 1b7f5ba1-6712-4d74-ab88-182932b6af0d
name: MacOceanLotusDropper
description: |
Backdoor processes associated with OceanLotus Mac malware backdoor dropper.
References:.
Https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/.
OS Platforms: Macintosh.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| where Timestamp > ago(14d)
| where ProcessCommandLine contains "theme0"
| project Timestamp, DeviceId , DeviceName, AccountName , AccountSid , InitiatingProcessCommandLine , ProcessCommandLine
| top 100 by Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System Integrity Protection (SIP) Bypass Tool Usage
Description: An admin uses a tool like csrutil to temporarily disable SIP to install legitimate software or perform system updates.
Filter/Exclusion: Check for presence of csrutil in command line or use a filter for processes related to SIP configuration changes.
Scenario: Scheduled Maintenance Job
Description: A legitimate scheduled job (e.g., launchd job or cron task) runs a script that spawns a process with a name similar to the malware.
Filter/Exclusion: Filter by process parent process ID (PPID) or check for known legitimate job names in the system’s launchd or crontab configuration.
Scenario: Software Update or Patch Installation
Description: A system administrator runs a script or uses a tool like softwareupdate to install patches, which may temporarily spawn processes with suspicious names.
Filter/Exclusion: Filter by process command line arguments or check for known update tools in the process tree.
Scenario: System Diagnostics or Monitoring Tool
Description: A legitimate system diagnostic tool (e.g., sysdiagnose, log command, or console app) is used to gather logs or diagnostics, which may generate processes with names similar to the malware.
Filter/Exclusion: Filter by process name or check for known diagnostic tools in the process tree.
Scenario: Admin Task with Similar Process Name
Description: An admin runs a custom script or tool with a name similar to the malware (e.g., oceanlotus.sh) for internal testing or automation.
Filter/Exclusion: Filter by user context (e.g., admin user) or check for presence of known internal tools in the system’s path or scripts.