New malware targets Tibet

Published March 21st, 2012 at 7:14 AM EDT , modified March 5th, 2013 at 2:32 PM EST

A new malware threat has recently appeared, using the same Java vulnerabilities as Flashback, as part of an attack on Tibetan activist organizations.  AlienVault Labs documented these attacks in other forms a week ago.  On Monday, they posted more information about the new trojan, which is installed by web sites that are capable of installing either a Mac or Windows payload through Java.  However, details were lacking on the Mac payload.  Yesterday, Intego announced the new trojan and named it Tibet.A.

This new trojan is still very under-documented.  Intego, as per their usual form, provides almost no details about what the malware does, and AlienVault Labs, which has extensive documentation on the Windows version of this trojan, barely mentions the Mac at all.  So, at this time, there is no indication what files are installed or whether the malware injects code into other apps like Flashback.  It is also unclear how the malware behaves on machines with Java updated to patch those vulnerabilities.  There is no mention of Tibet.A using social exploits, as Flashback does, to trick the user into installing it in that case, or if it simply fails to install.  Intego does say, however, that there are no symptoms of infection unless you have software installed to monitor outgoing network connections.

Most of the world is probably not at much risk at the moment, since the perpetrators of this malware appear to be using it exclusively to target Tibetan activists.  However, it is always possible that this malware will accidentally infect others as well, or that the hackers behind it will widen the target audience.  As I recommended with Flashback, you should turn of Java in your web browser and make sure that Java is up-to-date by running Software Update.  Or, even better, if you are running Mac OS X 10.7 (Lion) and have not yet installed Java, don’t do so.

Tags: Mac OS X, malware, Tibet, trojan