After our previous finding involving a targeted attack whose payload were OS-dependent, we encountered a more recent run that leads to a malicious file specifically affecting Mac OSX. The said malware, detected as TROJ_MDROPR.LB, is a Trojan being used in Pro-Tibetan targeted campaigns, as initially described by Alienvault.
In investigating the campaign, we found that the C&C being used in this particular attack is the same C&C we also saw being used by one of the Gh0stRat payloads in the series of Pro-Tibetan targeted attack campaigns we are seeing recently.
Here is a snapshot of the email containing the malicious .DOC attachment that dropped a Gh0stRat payload connecting to the said C&C:
Going back to TROJ_MDROPR.LB, we found details about a particular malicious document used in the campaign:
One of the routines executed by TROJ_MDROPR.LB is to drop and open a non-malicious .DOC file, in order to trick the user that they’ve opened a normal file.
This development in targeted attacks just shows that the groups behind campaigns such as this one are taking into consideration changes in the computing landscape, such as the increase in the number of Mac users. This adjustment to affect Macs also shows that they are refining their scope, and are really customizing their tools to suit their targets.
In this light, and knowing that the MAC OSX arena has seen in its fair share of threats increasing, it is advisable to be aware that MAC OSX can also be targeted, and seen as a new playing field for these groups behind targeted attacks and APTs to further their agenda.
More on this as we are continuously investigating this. Stay tuned.
Updates as of March 29, 2012 12:23 PM (PST)
The backdoor that is dropped by TROJ_MDROPR.LB is detected by Trend Micro as OSX_KONTROL.EVL.
Updates as of March 30, 2012 5:24 AM (PST)
The other file dropped by TROJ_MDROPR.LB is now detected as OSX_KONTROL.HVN.