A new variant of the Tibet malware for OS X has been found. This variant uses a recently patched Java exploit to install a backdoor service in targeted systems and allow a remote hacker to log in and steal files.
While OS X has been affected relatively minimally by malware, the platform has been periodically plagued by a few attempts that, when active, have undergone several variant revisions in attempts to bypass security updates and known detection methods.
One of these has been an ongoing targeting of Uyghur ethnic groups via spam and other means, where various tricks and security vulnerabilities have been exploited in attempts to install a Trojan horse program. The malware has been packaged in ZIP files, or as applications disguised as images or other file types. When run, it installs a backdoor program that allows a remote user to log in and steal personal information.
This so-called Tibet malware has until now there had three known variants, the last of which was found over a year ago.
While prior versions of the malware disguised installers as benign files, or exploited vulnerabilities in Office applications, this new variant uses a recently patched Java exploit to install the malware. When done, the following hidden application runs, as well as a corresponding global launch agent that keeps the application running in the background:
Given the nature of the Java exploit used for this attack, these malicious files are installed without any prompt for a password.
To check for and remove this malware, simply go to the above folders in your system and remove the corresponding files, if they exist, and then restart your system to clear any instances of the malware that are running in the background.
This malware is by no means widespread, and even though Oracle has fixed the flaws for this vulnerability in Java and Apple has issued updates to its XProtect service that force the use of the latest Java versions in OS X, there may be some who might encounter either it or other malware that uses similar exploits. Therefore, to help protect yourself from such attacks there are several things you can do.
- Update your system
As with many malware attempts, this one exploits a known and documented vulnerability. This type of documentation usually exists only after a patch for the vulnerability is available, but malware developers are betting (quite correctly) that people will not immediately update their systems. Therefore, to combat this tactic, install any updates as soon as possible.
- Disable Java
This attack, like many others, takes advantages of vulnerabilities in a secondary data execution runtime, in this case, Java. This runtime is not needed for most OS X applications, so unless you have a specific need for it, consider disabling or uninstalling it. Even if you use Java for running programs on your computer, you can disable its Web browser plug-in so Web-based applets (a common mode for attacks) will only run on-demand and not on-access.
- Monitor launch agent and launch daemon folders
As with many other malware programs, this one uses a launch agent to keep the program running. There are several methods in OS X to have programs automatically launch, and launch daemons and agents are attractive options because they are relatively hidden and can be named something that sounds official, such as the one in this current attack that looks like an Apple audio service component.
Often application installers and system updates will use launch agents to schedule tasks, but nothing in OS X prevents unwanted processes from setting up their own maliciously crafted launch agents in the system, especially if the malware exploits vulnerabilities that give it administrative-level access to system folders. However, to combat this you can use built-in OS X services to set up a launch agent monitor that will notify you anytime a launch agent or daemon is added to any one of the relevant system folders, so you can at least investigate whether or not any new ones are legitimate. Its a safe bet that if they randomly appear without you purposefully running an installer or update, they are likely malicious in nature.