After our previous finding involving a targeted attack whose payload were OS-dependent, we encountered a more recent run that leads to a malicious file specifically affecting Mac OSX. The said malware, detected as TROJ_MDROPPER.LB, is a MAC RAT/backdoor being used in Pro-Tibetan targeted campaigns, as initially described by Alienvault.
In investigating the campaign, we found that the C&C being used in this particular attack is the same C&C we also saw being used by one of the Gh0stRat payloads in the series of Pro-Tibetan targeted attack campaigns we are seeing recently.
Here is a snapshot of the email containing the malicious .DOC attachment that dropped a Gh0stRat payload connecting to the said C&C:
In this light, and knowing that the MAC OSX arena has seen in its fair share of threats increasing, it is advisable to be aware that MAC OSX can also be targeted, and seen as a new playing field for these groups behind targeted attacks and APTs to further their agenda.
More on this as we are continuously investigating this. Stay tuned.
Leave a reply