Kaspersky Labs, one of the top computer security companies in the nation, has just discovered a new variant of the Tibet malware for OS X, which is being distributed to specific Uyghur activist groups as part of a politically motivated advanced persistent threat (APT) attack, as it seems.
The malware is being spread via email to certain Uyghur Mac users and is also contained within a ZIP file known as “matiriyal.zip”. If this file is opened, it will display an image file and a text file that is a disguised OS X application that, if run, will install the malware. Once installed, the malware will connect to a command-and-control server based in China, which will allow a remote attacker to issue local commands and access files.
The Tibet Malware was first discovered back in March and initially used the same Java exploit that allowed the Flashback malware to infect nearly 1% of all Mac users. Since then the malware has been released in different variants that have exploited other known vulnerabilities, like the MS09-027 vulnerability in Microsoft Office that was discovered and patched back in 2009.
This newest version uses a standard Trojan horse approach by luring users to open the file based on curiosity and disguising the malware application as a harmless document. This malware is slightly different than other recent malware attacks on OS X, however. This new Tibet malware appears to be a concentrated political effort from mainland China against Tibet activist groups and isn’t being actively spread to other parts of the world.
Since Mac OS X only makes up a small fraction of the worldwide operating systems out there, it may seem strange that the platform is receiving this kind of attention from malware developers. Kaspersky says the answer is simple and that it may be that groups at political odds with China have revealed themselves using the operating system.
It has been said that the Dalai Lama is a well-known Mac user and regularly participates in conference calls and other online activities. It could be that the Tibet malware is an attempt to spy and steal information about the Dalai Lama and his activities, as well as those in similar groups like the Uyghurs, which have been at political odds with China for some time now.
Source: CNET – New OS X Tibet malware variant surfaces