Intego has come across a sample of the threat on VirusTotal

Sep 12, 2013 09:55 GMT  ·  By

Security researchers from Intego have uncovered a third variant of the Mac malware dubbed “Tibet.” 

The first version of this threat, OSX/Tibet.A, was spotted back in March 2012. At the time, experts named it Tibet because it was found in emails specifically sent to Tibetan non-governmental organizations.

Now, Intego has come across the OSX/Tibet.C malware. The sample was identified on VirusTotal, and it has been catalogued as a low-risk threat.

The threat is distributed via a Java applet hosted on a website. A couple of recently patched Java vulnerabilities (CVE-2013-2465 and CVE-2013-2471) are exploited in an effort to automatically download and launch a Java archive that contains a backdoor.

Once it’s installed on a system, Tibet.C creates a couple of files. One of them, /Library/LaunchAgents/ com.apple.AudioService.plist, ensures that the malware is executed on each startup. The second file, /Library/Audio/ Plug-Ins/Components /AudioService, is the actual backdoor.

The malware receives its commands from a server located in China.

Mac users can protect themselves against the threat with an antivirus program or by making sure their Java software is up to date.