Security researchers from Intego have uncovered a third variant of the Mac malware dubbed “Tibet.”
The first version of this threat, OSX/Tibet.A, was spotted back in March 2012. At the time, experts named it Tibet because it was found in emails specifically sent to Tibetan non-governmental organizations.
Now, Intego has come across the OSX/Tibet.C malware. The sample was identified on VirusTotal, and it has been catalogued as a low-risk threat.
The threat is distributed via a Java applet hosted on a website. A couple of recently patched Java vulnerabilities (CVE-2013-2465 and CVE-2013-2471) are exploited in an effort to automatically download and launch a Java archive that contains a backdoor.
Once it’s installed on a system, Tibet.C creates a couple of files. One of them, /Library/LaunchAgents/ com.apple.AudioService.plist, ensures that the malware is executed on each startup. The second file, /Library/Audio/ Plug-Ins/Components /AudioService, is the actual backdoor.
The malware receives its commands from a server located in China.
Mac users can protect themselves against the threat with an antivirus program or by making sure their Java software is up to date.