Latest Mac malware spies on infected computers. Bad news if you aren’t in China’s good books

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Evil appleSecurity researchers at Intego have reported the discovery of the latest variant of the OSX/Tibet Mac malware.

The malware, which Intego has dubbed OSX/Tibet.D, has been distributed in the form of a poisoned Java applet on compromised websites.

This ia common trick used by hackers today. Hackers breach a website known to be visited by a particular group of targets, rather than directly launch an attack against the targets themselves. Eventually someone visits the “watering hole” and their computer ends up poisoned and compromised.

In this particular case, visiting the website on an unpatched computer causes the Java archive to be dropped onto your Mac and launched without any user interaction. At that point, a secret backdoor is opened on the affected computer, contacting a command and control server based in China, and it can be used by a remote hacker to view and accesss files, as well as plant other code.

Sign up to our free newsletter.
Security news, advice, and tips.

Because the malware exploits recently patched Java vulnerabilities, it acts as good a reminder as any of the importance of keeping your computer software up-to-date with security fixes. And remember to ask yourself – do you really need Java enabled on your browser at all?

Previously, attacks like this have been targeted against the Tibetan government, Chinese supporters of the Dalai Lama, and other oppressed minority groups in China.

If I were a betting man, I would put money on those responsible for previous attacks as being likely to be behind OSX/Tibet.D as well.

Although this particular Mac malware isn’t likely to be encountered by anyone who isn’t an active critic of China in Tibet, it’s clear that sophisticated hackers are interested in infecting computers and using malware to spy upon their intended victims.

Mac users need to wake up to the need to run good anti-virus software as much as their Windows cousins. And, once again, it’s important to stress the importance of keeping web servers, and the software running on them, up-to-date with security patches to lessen the chances of hackers being capable of embedding malicious code.

This isn’t financially-motivated malware. This is plain and simple espionage.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

4 comments on “Latest Mac malware spies on infected computers. Bad news if you aren’t in China’s good books”

  1. Gulraj

    Unfortuantely, at least one large vendor's corporate VPN offering is dependent on Java plugins.

  2. David Harley

    Actually, Graham, Intego are calling the new variant OSX/Tibet.D: the C variant is the one they found last year. Good to see you still fighting the good fight, though. :)

    1. Graham CluleyGraham Cluley · in reply to David Harley

      Oops. Thanks for the correction David

      Dontcha love malware naming?

      1. David Harley · in reply to Graham Cluley

        About as much as you do, I suspect. The names are either so generic that all they do is confuse the issue, or they refer to some arcane classification that the AV labs are not going to explain to the world in general. I've long thought that in most contexts, the hash is the only threat-name that matters.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.