A new variant of the Mac-based OS X Imuler Trojan has emerged and is targeting Tibetan rights activists, according to a report written by Lisa Myers of Web security firm Intego.
This latest variant, detected by Intego as OSX/Imuler.E, is a Trojan dropper that attempts to lure victims with promises of group photos of Tibetan organizations, Myers said. According to the report, once the Trojan infects its host, it phones home to its command and control server and awaits instruction.
Myers writes that OSX/Imuler can steal data in two ways: it can search systems for user data and it can take screenshots. Once it steals the data in question, it uploads it to its C&C server with a unique identifier, letting the attackers know from which specific Mac the data came from.
In addition to the Trojan’s data-stealing capacity, it can also load new files to an infected system and survive reboot.
F-secure researchers said whoever was responsible for the original OSX/Imuler Trojan, which they classify as two pieces of malware, a dropper called Revir and backdoor called Imuler, probably rebuilt the Trojan in order to circumvent malware detection mechanisms.
The original version emerged in September 2011 and made a splash because its authors appeared to adopt the technique of hiding malware in PDFs from historically effective Windows attacks.