New Mac Malware Variant Targeting Tibetan Activists

Tibetan activists are being targeted by a new variant of the Imuler (Revir) Trojan that was originally discovered in September. The attack is launched via email, and uses images of other pro-Tibetan groups as bait in order to encourage the victim into opening files.

According three different security firms – Sophos, F-Secure, and Intego, the current build of Imuler is just like the others. It steals data by searching the victim’s computer for files and by using screen shots. The reason that Imuler is so interesting is that it targets systems running Mac OS X.

“This data is then uploaded to the controller’s server. It creates a unique identifier for the specific Mac to be able to link the Mac and the data it collects. The backdoor also allows new files to be downloaded onto an affected system,” according to Intego.

This latest attack seems to be targeting sympathizers of the Dalai Lama and the Tibetan government. As is the case with the previous two Imuler attacks, a successful compromise ensures data loss and complete control of the system is ceded to the attacker. As for who is behind the attack, speculation hasn’t changed there either.

“It will be left as an exercise to the reader to come up with a shortlist of who might have an interest in breaking into the computers of Tibetan organisations,” commented Sophos’ Graham Cluley.

Earlier this year, another Mac-based attack was targeting supporters of Tibet. The Trojan, named “Mac Control” by its authors, executes when the system starts, and will established a connection to the C&C in order to wait for commands. Investigation into the malware itself shows it has the ability to allow remote shells, as well as the ability to send, receive, and delete files.