AlienVault has discovered a family of weaponised doc (MS-Office) files - in the wild - that are targeting the Apple Mac platform, which the company says is highly unusual given the low incidence of Apple Mac vulnerabilities.

According to Jaime Blasco, a researcher at AlienVault, the Security Information and Event Management (SIEM) solutions provider, the fact that the weaponised attacks are already in the wild is of concern, as it means that regular Mac users - many of whom do not have the kind of IT security software on their machines that their Windows colleagues do - are vulnerable to infection and computer hijacking.

The hackers behind this latest family of attacks are the same anti-Tibetan group that Blasco has been tracking and written about in several weeks. The pro-Chinese hackers are, he says, continuing to escalate the cold war - which has existed between the two countries for more than 60 years - into cyberspace.

"What is interesting about this latest attack vector is that, whilst the hacker group is the same one we have been tracking previously, they are now delivering two different Mac trojans - the first one that we detailed in an earlier posting – along with a new one with better capabilities," he said.

"We have also found some `debug symbols' in the program code that give us information about the identities of the hackers and their `Longgege' project. We also have a name for the new trojan - MacControl," he added.

The AlienVault researcher went on to say that, whilst direct information on the origins and target audience of these weaponised Doc files is scarce, the indications are that this element of the Longgege project is targeting the same Internet users and political pitch as seen with previous attacks.

Blasco says that the group behind this latest Longgege attack is almost certainly the same people identified by colleagues at Trend Micro earlier in the week and who are now turning their attention to vulnerable Apple Mac users.

This is, he adds, one of the few times we have ever seen a malicious Office file used to deliver Malware on to the Apple Mac platform and which exploits a remote code execution vulnerability that exists in the way that MS-Word handles a specially crafted file that includes a malformed record.

An attacker who successfully exploits this vulnerability, he explained, could take complete control of the user's Mac and networked computers plus other resources - potentially even an entire corporate network.

Put simply, says Blasco, this means that attackers could then install programs; view, change or delete data; or create new accounts with full user rights.

It's important to note, he adds, that users whose accounts have been configured to support fewer user rights on a given system are likely to be less impacted than users who operate with administrative user rights.

The MacControl trojan

Initial research by Blasco and his team suggests that several versions of the new MacControl trojan have been coded, including one with paths to debugging symbols, which may indicate the code has been written using a development package.

Once installed, the malware copies itself into the Library directory, as well as creating a new version in order to maintain persistence when the computer reboots.

After this, the trojan opens a connection to a remote command-and-control server, routing a variety of data to the remote destination, which resolves to an IP connection on the China Unicom Beijing province network.

"So far, so nasty, but the really bad news is that all the malware samples we have see to date have a 0/0 rate of detection. The weaponised doc files also seem to pass detection, suggesting the use of new and never-before-seen hacker coding techniques," he said.

"Our observations suggest that the hackers involved in this latest anti-Tibet hacker initiative are highly innovative in their malware obfuscation and coding techniques, as well as almost certainly having access to powerful coding platforms," he added.