New OSX/Imuler Variant Targeting Tibetan Activists

Posted on November 12th, 2012 by

A new OSX/Imuler variant, detected as OSX/Imuler.E, has been targeting Tibetan activists. This varies little from the previous Imular variant, OSX/Imuler.D. There have been a variety of droppers seen, the most recent of which purport to be group photos of Tibetan organizations.

Photo used as bait for social engineering with Imuler variant

This backdoor Trojan family was first discovered in September 2011 as a Mac PDF Trojan horse and has been targeting activist organizations with emails containing what appear to be pictures. Each variant has tried different tactics, either trying to scare or entice their target into opening the file.

Like previous variants, once the Trojan is active, Imuler calls home to await further instructions. The Trojan survives reboot until the malicious files are removed.

The Imuler Trojan has two main methods of stealing information:

  1. It searches the system for user data
  2. It can also take screenshots

This data is then uploaded to the controller’s server. It creates a unique identifier for the specific Mac to be able to link the Mac and the data it collects. The backdoor also allows new files to be downloaded onto an affected system.

Intego VirusBarrier users with up-to-date virus definitions are protected from this threat, which is detected as Trojan:OSX/Imuler.E.

  • Matthew

    Will Gatekeeper prevent this trojan from installing?

    • LysaMyers

      Gatekeeper on OS X 10.8 should prevent this from launching if you open it from the email or if you download it. If you were to run it from a removable drive, for example, Gatekeeper won’t prevent it. The same should be true if you have enabled Gatekeeper on OS X 10.7.5 as well.

      • Matthew


  • Nestor Marquez

    I´m infected and the trojan is unabling VirusBarrier to run. I reinstalled but it is not allowing VB to update definitions what can I do?