Dropping Lotus Bombs: Adversary Emulation for macOS & Linux
Written by L. Piper and Cat Self.
Adversary emulation plans enable organizations to test their cyber defenses against actual adversary behavior. In 2020, the Center for Threat-Informed Defense launched the Adversary Emulation Library as an open resource that organizations can use to evaluate their defensive capabilities against real-world threats. Since the Library’s launch, we have published 11 full emulation plans and 12 micro emulation plans, all focused on Windows operating systems.
Open-source threat intelligence reporting, shows that adversaries operate on systems other than Windows, like macOS and Linux. With this knowledge, we thought it important to include them in our adversary emulation library. Consequently, in partnership with AttackIQ, Inc., CrowdStrike, Inc., Fujitsu, and IBM Security, the Center developed an OceanLotus emulation plan — our first non-Windows focused emulation plan.
This latest adversary emulation plan gives visibility into threats against two critical operating systems (i.e., macOS and Linux). It is also our first emulation plan for offensive operations that includes a documented range setup.
In this blog post, we’ll give a brief background on OceanLotus, provide a high-level overview of the emulation plan, and end with how you can contribute. In a second blog, we will offer a deep dive into how we selected OceanLotus and provide an in-depth technical overview of the emulation plan. Follow the Center for Threat-Informed Defense on LinkedIn for the next update.
Who is OceanLotus?
When asking this question, a good place to start is the ATT&CK group page for OceanLotus (G0050). OceanLotus (aka APT32, SeaLotus, APT-C-00) is a suspected Vietnam-based threat group that has been active since at least 2012. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists. With a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia, they are highly targeted when choosing victims, using strategic web attacks aimed specifically at their targets.[1][2][3]
The Emulation Plan
The above diagram shows the operations flow of our emulation plan, starting on the macOS host and moving to the Linux host. We are using an assumed breach scenario for this emulation plan. For a detailed playbook of commands and code executed, reference our Emulation Plan website. (A big shout out to Melanie Chan for the OSX.OceanLotus development & Jared Stroud for the Rota Jakiro development)
Our scenario starts with an imaginary victim, Hope Potter, downloading a macOS application bundle disguised as a Word document from an OceanLotus compromised website. After Hope double-clicks the malicious bundle, a bash script drops three files to disk, one of which connects with an OceanLotus C2 server. OceanLotus then performs discovery techniques on remote services, to include SSH. Hope then logs into a Linux file server using SSH, which grants OceanLotus access to Hope’s SSH key. Through the C2 channel, a backdoor is then copied to the Linux host.
The backdoor is executed and immediately establishes persistence using two autorun files, which monitor each other to ensure they can restart in case one of them dies. From there, the backdoor performs some discovery techniques and identifies a mounted drive and some files of interest. The backdoor then exfiltrates the files of interest and completes its objectives.
Building a macOS environment
We also wanted to make it much easier to set up a macOS environment for adversary emulation. Enter our hero Michael Butt. Michael built out Terraform scripts for easy deployment of our macOS environment to make it easier to execute our emulation represented in the below diagram.
You can find the set up scripts for our AWS environment configuration here.
Where do we go from here?
Now that we have released our first macOS and Linux emulation plan, we want to know what you think about the work. We hope you will head to our repository and take the plan for a test drive to see if it can be a valuable security tool in your macOS environment. If something isn’t working for you, or you have suggestions on how to make it better, we’re all ears at ctid@mitre-engenuity.org
- Grab an issue and fix it. We encourage the community to contribute emulation code and fix bugs in our repository. These issues can range from helping us fix broken links to implementing components of an emulation plan that we did not have time to develop.
- Contribute open-source intelligence. For the first time we have an avenue for the community to contribute research on a specific threat actor to the adversary emulation library. Help us emulate an adversary better by providing research that fills in the reporting gaps we discussed earlier. As research can be sensitive in nature, check out our Wiki for more information on how we hope to address this factor.
And, if you are interested in learning more about what goes into choosing an adversary and the details of the OceanLotus emulation plan, please look for our OceanLotus deep dive blog in a few days.
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2023 MITRE Engenuity, LLC. Approved for Public Release. Document number CT0084
