Dalai Lama + Mac OS X = APT with Tibet malware

Pierluigi Paganini June 30, 2012

Another excellent discovery of the active experts of Kaspersky Labs that have identified a new variant of the malware used in Tibet against Uyghur hacktivists, a Turkic ethnic group living in Eastern and Central Asia.

The instance of Tibet malware detected infects OS X machines and is spread following a consolidated schema for politically motivated APT attack(advanced persistent threat),  via email.

Uyghur Mac users receive an email with a zip file attached named  “matiriyal.zip.” that contains an image and also an application, masqueraded as text file, that once executed installs the agent on the target machine.

After the malware is installed on the victims it contacts a command-and-control server based in China, and allows a remote attacker to issue local commands and access files. The decoded IP address for C&C server is  61.178.77.*, located in China:

The agent appears as a new variant, and the team of Kaspersky declared:

 “[it’s] mostly undetected version of the MaControl backdoor (Universal Binary), which supports both i386 and PowerPC Macs. We detect it as “Backdoor.OSX.MaControl.b”. “ MD5 ( “matiriyal.app/Contents/MacOS/iCnat” ): e88027e4bfc69b9d29caef6bae0238e8

I have already written on the use of malware against Tibetan hacktivists discovered in March, also in that cases the responsible were groups of hackers sponsored by the Beijing government.

The attacks carried out using a tested scheme starting with a spear phishing campaign that uses an infected Microsoft Office file to exploit a known vulnerability in Microsoft. As usually the content of the email refer a topic of interest for the final target, in this case related to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. The vulnerability that has exploited is known Office stack overflow vulnerability (CVE-2010-3333).

The malware used is a variant of Gh0st RAT, a well know remote access Trojan, that enables to acquire the total control of the target allowing documents theft and cyber espionage.

For the precision have been identified five families of malware, free Web hosting services for their command and control machines and also a malware called TROJ_WIMMIE. This malware exploited Rich Text Format Stack Buffer Overflow Vulnerability (CVE-2010-3333) and also Adobe Reader and Flash Player vulnerabilities.

For Mac OS X users the attack started exploiting the same Java vulnerability that allowed the infection with Flashback malware.

Notable features of the infections are the limited geographic area interested by the attacks and also its primary target OS, MAC OSx, that according to Kaspersky maybe addresses because the Dalai Lama is a well-known Mac user, and regularly participates in conference calls and other online activities.

The Dalai Lama is a spiritual leader opposed by China, that with these operations intend to succeed in cyber espionage operations.

Unfortunately, the use of specific malware in the fight against political factions adverse to the regimes has become very common, include cases of persecution by the regime in Syria, and also the intelligence operations attributable to groups pro Putin in Russia.

These events are a sad page in technological progress, an example of how dangerous it can be a misuse of technology.

Pierluigi Paganini



you might also like

leave a comment