The Latest in IT Security

Another Document Targeting Uyghur Mac Users

25
Apr
2013

We spotted a new variant of the documents used in the cyber attacks against Uyghur back in February.

This variant was first submitted to VirusTotal on April 11 from China. This time it uses IUHRDF, which may be a reference to International Uyghur Human Rights & Democracy Foundation, instead of Captain as the author:

Properties of poadasjkdasuodrr.doc

The payload is still the same besides using different filenames and command and control server.

It uses “alma.apple.cloudns.org” as the command and control server:

Command and control server name

It creates the following copy of itself and launch point:

~/Library/Application Support/.realPlayerUpdate
~/library/launchagents/realPlayerUpdate.plist

Or it may create the following instead (when executed with 2 parameters):

/Library/Application Support/.realPlayerUpdate
/library/LaunchDaemons/realPlayerUpdate.plist

It remains pretty much the same malware and is generically detected as Backdoor:OSX/CallMe.A since February.

MD5: ee84c5d626bf8450782f24fd7d2f3ae6 – poadasjkdasuodrr.doc
MD5: 544539ea546e88ff462814ba96afef1a – .realPlayerUpdate

Related posts:
  1. Malware Targeting Windows and MAC OSX
  2. Cyber Attacks Against Uyghur Mac OS X Users Intensify
  3. MS09-027 Target: Mac OSX & Tibetan NGOs
  4. Mac OS X Threat Masquerading as Image Files
  5. Flash Exploit Targets Uyghur Website

Tags:  
Written by F-Secure Antivirus Research Weblog
0 Comments

Leave a reply


Categories

SUNDAY, FEBRUARY 23, 2025
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments