Tibet-targeting Mac OS malware rears its head again

A new variant on a family of Mac OS X malware which targets Tibetan activists has been found in the wild and shared on the Virus Total website, where security researchers show off new “finds”.

The malware is distributed by a poisoned Java applet on websites which have been compromised – known as a “watering hole attack”. It’s part of a family of malware which has targeted Tibetan activists. The last new version was found a year ago, according to Intego.

An ESET report on previous malware targeting Tibetan activists can be found here.

ESET Senior Research Fellow David Harley says, in a post on Mac Virus, “ I suspect that Apple will slipstream detection for it into XProtect.plist sooner rather than later. In any case, its actual spread is almost certainly as light as you’d expect from targeted malware. It seems to have crossed the AV radar because of a sample sent to VirusTotal, not as a result of user reports.”

In a detailed blog post exploring the myths around Mac malware, ESET Senior Researcher Stephen Cobb says, “Many people have repeated the statement that Macs can’t catch viruses. There may be a qualified sense in which that is true, but it obscures the wider reality that Macs can, and do, get hit with other forms of malicious software.”

“Things have been relatively quiet lately from the authors of the Tibet family of malware, but another variant was found last night on the Virus Total website, which is a site used by security researchers to share malware samples,” Intego said.

“This time, the attack arrives via a Java applet on a web site. This drops a Java archive with the backdoor and launches it without user interaction, by way of a Java vulnerability. When installed, it creates a backdoor to the affected computer, which allows an attacker to view and access files on the computer as well as running commands.”

 Independent security researcher Graham Cluley says that previous attacks in the same “family” have targeted the Tibetan government and supporters of the Dalai Lama, and says, “If I were a betting man, I would put money on those responsible for previous attacks as being likely to be behind OSX/Tibet.C as well.”

Intego has identified the malware as OSX/Tibet.D. It relies on Java vulnerabilities, so users with out-of-date software are advised to udpate now.

Author , We Live Security

  • Al Varnell

    > I suspect that Apple will slipstream detection for it into XProtect.plist sooner rather than later.

    XProtect is not currently able to detect malware installed via Java exploit drive-by attacks, but since this particular exploit has already been patched by Oracle, XProtect was updated earlier this week to block the use of older Java plugins.

    • Good point. Actually, I was thinking of XProtect.meta.plist. I’m not in Apple’s confidence, but I believe they’re looking at some form of remediation in this case, if it isn’t already implemented.

Follow us

Copyright © 2017 ESET, All Rights Reserved.