There is now a third variant of the Mac malware called “Tibet.”
The first version of the malware, OSX/Tibet.A, first came into the spotlight in March 2012. At the time, experts called it Tibet because they found it emails specifically sent to Tibetan non-governmental organizations, said researchers at security firm Intego.
Now, Intego has come across the OSX/Tibet.C malware. They identified the sample on VirusTotal, and they consider it a low-risk threat.
The threat distributes via a Java applet hosted on a website. Two patched Java vulnerabilities (CVE-2013-2465 and CVE-2013-2471) suffer exploitation in an effort to automatically download and launch a Java archive that contains a backdoor.
Once it ends up installed on a system, Tibet.C creates a couple of files. One of them, /Library/LaunchAgents/com.apple.AudioService.plist, ensures the malware executes on each startup. The second file, /Library/Audio/ Plug-Ins/Components/AudioService, is the actual backdoor.
The malware receives its commands from a server located in China.
Mac users can protect themselves against the threat with an antivirus program or by making sure their Java software is up to date.