New Tibet malware variant found for OS X
After over a year of no apparent activity, a new variant of the Tibet malware affecting OS X systems has been found.
A new variant of the Tibet malware for OS X has been found. This variant uses a recently patched Java exploit to install a backdoor service in targeted systems and allow a remote hacker to log in and steal files.
While OS X has been affected relatively minimally by malware, the platform has been periodically plagued by a few attempts that, when active, have undergone several variant revisions in attempts to bypass security updates and known detection methods.
One of these has been an ongoing targeting of Uyghur ethnic groups via spam and other means, where various tricks and security vulnerabilities have been exploited in attempts to install a Trojan horse program. The malware has been packaged in ZIP files, or as applications disguised as images or other file types. When run, it installs a backdoor program that allows a remote user to log in and steal personal information.
This so-called Tibet malware has until now there had three known variants, the last of which was found over a year ago.
While prior versions of the malware disguised installers as benign files, or exploited vulnerabilities in Office applications, this new variant uses a recently patched Java exploit to install the malware. When done, the following hidden application runs, as well as a corresponding global launch agent that keeps the application running in the background:
Given the nature of the Java exploit used for this attack, these malicious files are installed without any prompt for a password.
To check for and remove this malware, simply go to the above folders in your system and remove the corresponding files, if they exist, and then restart your system to clear any instances of the malware that are running in the background.
This malware is by no means widespread, and even though Oracle has fixed the flaws for this vulnerability in Java and Apple has issued updates to its XProtect service that force the use of the latest Java versions in OS X, there may be some who might encounter either it or other malware that uses similar exploits. Therefore, to help protect yourself from such attacks there are several things you can do.
Often application installers and system updates will use launch agents to schedule tasks, but nothing in OS X prevents unwanted processes from setting up their own maliciously crafted launch agents in the system, especially if the malware exploits vulnerabilities that give it administrative-level access to system folders. However, to combat this you can use built-in OS X services to set up a launch agent monitor that will notify you anytime a launch agent or daemon is added to any one of the relevant system folders, so you can at least investigate whether or not any new ones are legitimate. Its a safe bet that if they randomly appear without you purposefully running an installer or update, they are likely malicious in nature.
Very good info indeed! Thank you for the contribution.
This topic has been closed due to inactivity. If you would like to discuss this topic further, please start a new post.
You can reference this topic in your post by adding this link:
Visit the Community
Check our Forums or How-to & FAQs for advice or answers
View User Guides
Refer to our getting started guides and product manuals
Talk to our Support and get answers to your questions