The malware, which receives its commands from a server located in China, was originally named Tibet because it was found in emails targeting Tibetan activists. Its purpose? Pure espionage.
Original versions of the virus spread with a spear phishing campaign related to a Tibetan religious festival; the attackers used a contaminated Office file to exploit a known vulnerability in Microsoft. The attacks were targeted at the Central Tibetan Administration (the Tibetan government in exile), International Campaign for Tibet, as well as other Tibetan organizations and individuals. Since then, several other campaigns have been uncovered, aimed at gathering intelligence about these groups’ activities.
“Things have been relatively quiet lately from the authors of the Tibet family of malware, but another variant was found…on the Virus Total website, which is a site used by security researchers to share malware samples,” Intego researcher Lysa Myers explained in a blog. “Before [that], the last variant was found just over a year ago, and was already detected by Intego VirusBarrier’s existing virus definitions as OSX/Tibet.C.”
This time, the attack arrives via a poisoned Java applet on a compromised website purporting to have information that would be of interest to Tibetan activists.
As Independent security researcher Graham Cluley explained, this “watering hole” style attack is becoming a common trick used by hackers today. “Hackers breach a website known to be visited by a particular group of targets, rather than directly launch an attack against the targets themselves,” he wrote in a blog. “Eventually someone visits the “watering hole” and their computer ends up poisoned and compromised.”
In this particular case, visiting the website on an unpatched computer drops a Java archive, by way of recently patched Java vulnerabilities CVE-2013-2465 and CVE-2013-2471. The malware then launches without any user interaction. Once installed, it creates a secret backdoor to the affected computer, which allows an attacker to view and access files on the computer as well as run commands and drop other code.
The archive is called /Library/LaunchAgents/ com.apple.AudioService.plist, and it ensures that the malware is executed on each startup. The second file, /Library/Audio/Plug-Ins/Components/AudioService, is the actual backdoor.
“Because the malware exploits recently patched Java vulnerabilities, it acts as good a reminder as any of the importance of keeping your computer software up-to-date with security fixes,” Cluley noted. “And remember to ask yourself – do you really need Java enabled on your browser at all?”
However, for now, the risk level is low – unless you’re an activist for Tibet.
“I suspect that Apple will slipstream detection for it into XProtect.plist sooner rather than later,” said ESET senior research fellow David Harley, in a post on Mac Virus. “In any case, its actual spread is almost certainly as light as you’d expect from targeted malware. It seems to have crossed the AV radar because of a sample sent to VirusTotal, not as a result of user reports.”
Cluley warned users to be vigilant nonetheless: “Although this particular Mac malware isn’t likely to be encountered by anyone who isn’t an active critic of China in Tibet, it’s clear that sophisticated hackers are interested in infecting computers and using malware to spy upon their intended victims.”