New OS X Tibet malware variant surfaces

Unlike other malware, this strain appears to be a politically motivated and targeted attack.

Security company Kaspersky Labs has intercepted a new variant of the Tibet malware for OS X, which is being distributed to specific Uyghur activist groups as part of a seemingly politically motivated APT (advanced persistent threat) attack.

The malware is being distributed in e-mails to certain Uyghur Mac users, and is contained within a ZIP file called "matiriyal.zip." If this file is opened it will reveal an image file and a text file that is a disguised OS X application that if run will install the malware. Once installed, the malware will connect to a command-and-control server based in China, and allow a remote attacker to issue local commands and access files.

The Tibet malware was initially found in March and initially used the same Java exploit that allowed the infamous Flashback attack to infect about 1 percent of Mac systems. Since then the malware has been released in variants that have exploited other known vulnerabilities, such as the MS09-027 vulnerability in Microsoft Office that was found and patched in 2009.

This latest variant of the malware uses a classic Trojan horse approach, by enticing users to open the file based on curiosity and disguising the malware application as a benign document.

Unlike some other recent malware attacks on OS X, the Tibet malware appears to be a concentrated political effort from mainland China against Tibetan activist groups, and is not being actively spread to other parts of the world.

Given that OS X constitutes a relatively small percentage of the worldwide operating-system market it may seem odd at first that the OS X platform is receiving this attention from malware developers; however, according to Kaspersky, the answer may simply be that groups at political odds with China have revealed their use of Macs. The Dalai Lama is a well-known Mac user, and regularly participates in conference calls and other online activities. Therefore, the Tibet malware may be an attempt to spy and steal information about him and his activities, and those of similar groups such as the Uyghurs that have been at political odds with China.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

About the author

    Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.

     

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments