New Version of Tibet Malware

Monday, September 16, 2013 @ 10:09 AM gHale


There is now a third variant of the Mac malware called “Tibet.”

The first version of the malware, OSX/Tibet.A, first came into the spotlight in March 2012. At the time, experts called it Tibet because they found it emails specifically sent to Tibetan non-governmental organizations, said researchers at security firm Intego.

RELATED STORIES
DDoS Attack For Sale
Botnet Keeps Morphing, Growing
DDoS Botnet Detects Defenses
Malware Expands to Instagram

Now, Intego has come across the OSX/Tibet.C malware. They identified the sample on VirusTotal, and they consider it a low-risk threat.

The threat distributes via a Java applet hosted on a website. Two patched Java vulnerabilities (CVE-2013-2465 and CVE-2013-2471) suffer exploitation in an effort to automatically download and launch a Java archive that contains a backdoor.

Once it ends up installed on a system, Tibet.C creates a couple of files. One of them, /Library/LaunchAgents/com.apple.AudioService.plist, ensures the malware executes on each startup. The second file, /Library/Audio/ Plug-Ins/Components/AudioService, is the actual backdoor.

The malware receives its commands from a server located in China.

Mac users can protect themselves against the threat with an antivirus program or by making sure their Java software is up to date.



Leave a Reply

You must be logged in to post a comment.