<<<
Tuesday, April 17, 2012
>>>
 
More Mac Malware Exploiting Java Posted by Brod @ 09:07 GMT

Reports of new Mac malware variants exploiting CVE-2012-0507 surfaced last week. The Java vulnerability is the same one used by Flashback to infect more than 600 thousand Macs.

The first new threat was analyzed by the folks at Trend Micro. The Java applet for Mac actually exploits CVE-2012-0507, and if successful, the payload is the same malware that AlienVault Labs discovered last month (being used in targeted attacks against human rights NGOs).

The second threat seems to be a completely new piece of malware at first. However, succeeding samples that have been collected reveal that the malware is also being dropped by the same word documents exploiting MS09-027/CVE-2009-0563, used to drop Backdoor:OSX/Olyx.C and Backdoor:OSX/MacKontrol.A. Which was also reported by AlienVault last month.

Both malware seem to be active at the moment and are controlled manually as observed by ESET and Kaspersky respectively. Both use the same malicious Java class dropper component. MD5: 5a7bafcf8f0f5289d079a9ce25459b4b

F-Secure antivirus detects these threats as Backdoor:OSX/Olyx.B and Backdoor:OSX/Sabpab.A.

MD5: 78f9bc441727544ebdc8374da4a48d3f – Backdoor:OSX/Olyx.B (also known as Lamadai.A)
MD5: 40c8786a4887a763d8f3e5243724d1c9 – Backdoor:OSX/Sabpab.A (also known as Lamadai.B)
MD5: 3aacd24db6804515b992147924ed3811 – Backdoor:OSX/Sabpab.A

These malware variants are being used in targeted attacks against Tibetan focused NGOs and are therefore very unlikely to be encountered "in-the-wild" by day to day Mac users. If you're a Mac using human rights lawyer however… your odds of exposure are another matter entirely. If you don't have it already, now is the time to install antivirus on your Mac.






<<< Trojan:W32/Ransomcrypt
|
Ransomcrypt Decryption Script >>>