NEWS FROM THE LAB - Monday, December 3, 2012

New Mac Malware Found on Dalai Lama Related Website Posted by Sean @ 11:08 GMT

Acting on a tip, a member of our Threat Research team (Brod) has discovered a Dalai Lama related website is compromised and is pushing new Mac malware, called Dockster, using a Java-based exploit.

Page source from gyalwarinpoche.com:

gyalwarinpoche.com --jar

Here's a screenshot of gyalwarinpoche.com from Google's cache:

gyalwarinpoche.com, cached image

Note: Google's November 27th snapshot also includes a link to the malicious exploit (so don't visit).

The gyalwarinpoche site doesn't seem to be as "official" as dalailama.com:


But it's been around since 2009/2010 and the name is the same as the Dalai Lama's YouTube channel.

And the Whois information is similar:

whois: dalailama.com

whois: gyalwarinpoche.com

The Java-based exploit uses the same vulnerability as "Flashback", CVE-2012-0507. Current versions of Mac OS X and those with their browser's Java plugin disabled should be safe from the exploit. The malware dropped, Backdoor:OSX/Dockster.A, is a basic backdoor with file download and keylogger capabilities.

This is not the first time gyalwarinpoche.com has been compromised and it certainly isn't the first time Tibetan related NGOs have been targeted. Read more here and here.

There is also an exploit, CVE-2012-4681, with a Windows-based payload: Trojan.Agent.AXMO.

MD5 info:

Exploit:Java/CVE-2012-0507.A — 5415777DB44C8D808EE3A9AF94D2A4A7
Backdoor:OSX/Dockster.A — c6ca5071907a9b6e34e1c99413dcd142
Exploit:Java/CVE-2012-4681.H — 44a67e980f49e9e2bed97ece130f8592
Trojan.Agent.AXMO — c3432c1bbdf17ebaf1e10392cf630847