The Latest in IT Security

New Mac Malware Found on Dalai Lama Related Website

03
Dec
2012

Acting on a tip, a member of our Threat Research team (Brod) has discovered a Dalai Lama related website is compromised and is pushing new Mac malware, called Dockster, using a Java-based exploit.

Page source from gyalwarinpoche.com:

gyalwarinpoche.com --jar

Here’s a screenshot of gyalwarinpoche.com from Google’s cache:

gyalwarinpoche.com, cached image

Note: Google’s November 27th snapshot also includes a link to the malicious exploit (so don’t visit).

The gyalwarinpoche site doesn’t seem to be as “official” as dalailama.com:

dalailama.com

But it’s been around since 2009/2010 and the name is the same as the Dalai Lama’s YouTube channel.

And the Whois information is similar:

whois: dalailama.com
dalailama.com

whois: gyalwarinpoche.com
gyalwarinpoche.com

The Java-based exploit uses the same vulnerability as “Flashback”, CVE-2012-0507. Current versions of Mac OS X and those with their browser’s Java plugin disabled should be safe from the exploit. The malware dropped, Backdoor:OSX/Dockster.A, is a basic backdoor with file download and keylogger capabilities.

This is not the first time gyalwarinpoche.com has been compromised and it certainly isn’t the first time Tibetan related NGOs have been targeted. Read more here and here.

There is also an exploit, CVE-2012-4681, with a Windows-based payload: Trojan.Agent.AXMO.

MD5 info:

Exploit:Java/CVE-2012-0507.A – 5415777DB44C8D808EE3A9AF94D2A4A7
Backdoor:OSX/Dockster.A – c6ca5071907a9b6e34e1c99413dcd142
Exploit:Java/CVE-2012-4681.H – 44a67e980f49e9e2bed97ece130f8592
Trojan.Agent.AXMO – c3432c1bbdf17ebaf1e10392cf630847

Leave a reply


Categories

SATURDAY, DECEMBER 07, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments