New OSX/Imuler Variant Targeting Tibetan Activists

Posted on by

A new OSX/Imuler variant, detected as OSX/Imuler.E, has been targeting Tibetan activists. This varies little from the previous Imular variant, OSX/Imuler.D. There have been a variety of droppers seen, the most recent of which purport to be group photos of Tibetan organizations.

Photo used as bait for social engineering with Imuler variant

This backdoor Trojan family was first discovered in September 2011 as a Mac PDF Trojan horse and has been targeting activist organizations with emails containing what appear to be pictures. Each variant has tried different tactics, either trying to scare or entice their target into opening the file.

Like previous variants, once the Trojan is active, Imuler calls home to await further instructions. The Trojan survives reboot until the malicious files are removed.

The Imuler Trojan has two main methods of stealing information:

  1. It searches the system for user data
  2. It can also take screenshots

This data is then uploaded to the controller’s server. It creates a unique identifier for the specific Mac to be able to link the Mac and the data it collects. The backdoor also allows new files to be downloaded onto an affected system.

Intego VirusBarrier users with up-to-date virus definitions are protected from this threat, which is detected as Trojan:OSX/Imuler.E.