New variant of Tibet malware

Published June 30th, 2012 at 5:42 PM EDT , modified March 19th, 2013 at 11:16 AM EDT

A new variant of the Tibet malware was discovered this past week.  This time the malware has been targeted at the Uyghur people, who live predominantly in China.  The method of delivery is a bit different than previous variants of Tibet, which have used Java vulnerabilities (the same ones used by Flashback) and Microsoft Office vulnerabilities to install code.  This variant is a simple trojan, sent to specific targets via e-mail.  Although it is targeted, the rest of the world should be cautious, as we’ve recently seen some very high-profile targeted malware in the Windows world (eg, Stuxnet and Flame) escape its leash and affect other people as well!

The new variant, described in detail by Costin Raiu of Kaspersky, comes packaged in a .zip file attached to an e-mail message.  Inside the .zip file are a photo (in .jpg format) and an application.  The application, if opened, installs the MaControl backdoor on the system, providing the attackers full access to the machine.  (Why this malware was originally named Tibet and not MaControl, I don’t know.  Perhaps the backdoor is actually made by a third-party, but all mention of MaControl that I’m aware of seems to be references to the payload installed by the Tibet malware.)

Avoiding this malware is easy, and requires no new techniques: just don’t open attachments on e-mail messages from people you don’t know, or unexpected application attachments from people you do know.  Treat any attachment with suspicion!

Addendum: Apple has now added MaControl to their XProtect definitions.

Tags: Mac OS X, macontrol, malware, Tibet, trojan