In a series of targeted attacks on non-governmental organisations (NGOs) in Tibet, the attackers took aim not only at Windows systems, but also Macs. The attackers sent emails to the NGOs containing either contaminated Office files or links to a malicious web site. Some of the Office files could infect Macs by exploiting a security hole in Office for Mac. The hole was patched three years ago, but is, of course, only effective if the patch is actually installed.

The links in the emails referred to pages that contained a Java exploit which took advantage of a gap (CVE-2011-3544) that was fixed last November. The special feature of this attack was a dropper on the web site that could infect both Windows and Macs – assuming that an up-to-date Java system was not installed. Depending on which operating system was used to load the page – this is detected examining the user agent string from the browser – an appropriate payload was selected which would open a back door into the system for the attackers to use.

During installation on a Windows system, the payload deployed was a variant of Gh0st RAT (Remote Access Trojan). On the Mac though, a new payload, dubbed OSX/Lamadai.A, was used. Eset analysed this payload and found that it copied itself into /Library/Audio/Plug-Ins/AudioServer which for OS X 10.7.2 users at least appears to mean it is not persistent. Once installed it attempts to call a C&C server with an encrypted connection. Eset observed an attacker connect to a test machine, browse the file system then take the keychain file and Safari's cookies store. The vulnerability in the Mac Java system was patched in Java for Mac OS X 10.7 Update 1 and 10.6 Update released in November.

(djwm)