Mac malware targeting Tibetan supporters is being served on a website connected to the Dalai Lama. The Dockster Trojan, discovered by researchers at F-Secure, exploits the same Java vulnerability as the virulent Flashback Trojan that hit more than 600,000 OS X users earlier this year.
F-Secure researcher Sean Sullivan said current versions of OS X are not vulnerable; users who have disabled the Java browser plug-in are also not vulnerable. Sullivan said Dockster is “a basic backdoor with file download and keylogger capabilities.”
Sophos, meanwhile, released an analysis of the problem and found two malicious Java applets embedded on the gyalwarinpoche [dot] com website that are serving the malware. Infected machines are susceptible to data theft.
Supporters of the Tibetan Government in Exile have been targeted before by similar attacks, including an email-based campaign based in July around the time of the Dalai Lama’s birthday. The emails contained a malicious Microsoft Word attachment that exploited a vulnerability in Common Controls and dropped variants of the Midhos Trojan. In March, a Mac backdoor that was part of the GhostNet campaign against non-governmental organizations supporting Tibet was found.
Dockster, meanwhile, tries to exploit a vulnerability patched in April by Apple. According to CVE 2012-0507, attackers can exploit the hole to bypass Java sandbox restrictions. This is the same hole trampled on by the Flashback Trojan.
Flashback initially posed as an Adobe Flash update and infected hundreds of thousands of computers, stealing credentials and other personal information via a keylogger communicating data to a command and control server. Later variants targeted Java on OS X. Users landing on attacker-controlled sites were tricked into downloading the malware in order to view content, or it would install without user interaction. It was also capable of disabling Apple’s XProtect antimalware system.
F-Secure’s Sullivan, meanwhile, said that the Dalai Lama’s site is also serving a Windows-based exploit for CVE-2012-4681, the Agent.AXMO Trojan. The Trojan exploits a Java vulnerability that allows remote code execution using a malicious applet that is capable of bypassing the Java SecurityManager.