{"id":10647,"date":"2013-02-13T10:15:09","date_gmt":"2013-02-13T18:15:09","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=10647"},"modified":"2024-07-29T12:17:29","modified_gmt":"2024-07-29T19:17:29","slug":"new-targeted-attack-on-tibetan-activists-using-os-x-discovered","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/new-targeted-attack-on-tibetan-activists-using-os-x-discovered\/","title":{"rendered":"New Targeted Attack on Tibetan Activists Using OS X Discovered"},"content":{"rendered":"

Once again, another round of targeted attack on Tibetan activists which drops a backdoor trojan\u00a0has been found (the last attack on Tibetan activists was\u00a0OSX\/Dockster.A<\/a>). There’s a possibility this one was created by the same group that was using the Tibet trojans<\/a>. At this time, the threat is considered low risk. The trojan comes as a DOC file, which uses a fairly old Microsoft Word exploit to attempt to drop its payload. This was picked up with older VirusBarrier<\/a> virus definition updates as W97\/CVE-2009-0563.gen. The backdoor is a very simple one \u2013 it only gives the attacker the capability to run commands on the local machine and is steals a copy of the affected user\u2019s contact information.<\/p>\n

The backdoor can come with different file names, but one example is “2013-02-04 – Deported Uyghurs.doc” (file size 151612 bytes). If it\u2019s successfully run, it attempts to connect to a command and control center at update.googmail.org, which is still operational at time of writing. It will then send the user’s contact information, to identify the affected user.<\/p>\n

It creates the following files:<\/p>\n

In the Home User’s folder:<\/p>\n