Political activists with an interest in Chinese affairs are being targeted once again by a new backdoor Trojan campaign that almost certainly originates in the country, security companies have reported.
Based on the established MaControl (or MacControl) APT, the targets of the backdoor this time are Uighur activists running Windows and, interestingly, both Intel and old PowerPC-based Apple Macs.
As with previous anti-activist attacks with a Chinese connection, there is nothing unusual about the mechanics of the attack, which arrives in inboxes as a zip attachment containing an image and an application.
Launching the app opens the infected machine to information theft and remote control; the standard gamut of APT malware in other words.
Beyond the fact that Uighur politics (a restive ethnic minority in China's north-west) is of interest to Chinese organisations, the command and control servers are registered inside the country, but there is more; whomever wrote or adapted the malware code added debug in English that included the sort of spelling errors a non-native speaker might make.
“With Macs growing in popularity and their increased adoption by high profile targets, we expect the number of MacOS X APT attacks will also grow,” noted Kaspersky Lab researcher, Costin Raiu, before adding that the Dalai Lama himself – a major target for Chinese nationalists - has recently been spotted using a Mac.
Security firm AlienVault has reported a separate version of the campaign that uses the well-known Gh0st RAT to hit PC users. In March, this was seen in an attack on pro-Tibetan sympathisers that bears some comparisons with the new attack. By May, Gh0st RAT was even being served from the Amnesty International UK website.