Old OS X malware used in increased attacks against Uyghur groups

An old vulnerability in Word for OS X is being used in increasing levels of attacks against ethnic groups in China.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
2 min read

Kaspersky labs and Alienvault have released a new analysis that outlines recent increases in targeted attacks against Uyghur groups in China, where an apparent ongoing politically motivated effort is using old vulnerabilities in Microsoft Word to infect their systems with malware.

The effort is using unpatched versions of Microsoft Word 2004 and 2008 for OS X, where maliciously crafted documents can exploit an old and patched vulnerability to execute code and install backdoor software without the user's consent. The malware in this case installs a common remote-access shell called "TinySHell" that in itself is not intended as malware, but since it runs undetected in the background, the malware developers have been exploiting its ability to stay relatively hidden.

This attack is similar to one found targeting these same ethnic groups back in June 2012; the Word documents are likewise being sent in booby-trapped e-mails to these groups.

While this form of attack is nothing new, it appears to be a renewed effort to try stealing information from these groups. Therefore, for anyone who feels they or someone they know may be at risk of receiving one of these malicious e-mails, Kaspersky has some recommendations:

  1. Use Gmail for its double-authentication features to help prevent criminals from masking as a familiar sender.
  2. Update all software (especially Word) that you have on your computer.
  3. Consider using an anti-malware suite and have it actively scan incoming e-mail.
  4. Use Chrome or other browsers that include fraud-detection features.
  5. Confirm with the sender the validity of any attachments or links they've sent before you open them.

In addition to these recommendations, the use of a reverse firewall tool like Little Snitch should help detect and by default block any unwanted communications to remote servers, so if you would like to monitor and be in control of your system's outgoing connections then this is one way to do it.

Given that this malware is targeted at a specific ethnic group and uses very old security vulnerabilities that were patched years ago, these attacks are considered to be very low threats to most Mac users, especially if you simply keep your software updated. But it never hurts to stay aware of any kinds of attacks, just in case.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.