# January 2004 to September 2015 **f-secure.com/weblog/archives/00002466.html** [<<<](https://www.f-secure.com/weblog/archives/00002465.html) NEWS FROM THE LAB - Monday, December 3, 2012 [>>>](https://www.f-secure.com/weblog/archives/00002467.html) **[ARCHIVES |](https://www.f-secure.com/weblog/archives/)** **[SEARCH](https://www.bing.com/search?q=site:f-secure.com/weblog)** **New Mac Malware Found on Dalai Lama Related** **Website** Posted by Sean @ 11:08 GMT Acting on a tip, a member of our Threat Research team (Brod) has discovered a Dalai Lama related website is compromised and is pushing new Mac malware, called Dockster, using a Java-based exploit. Page source from gyalwarinpoche.com: Here's a screenshot of gyalwarinpoche.com from Google's cache: ----- Note: Google's November 27th snapshot also includes a link to the malicious exploit (so don't visit). The gyalwarinpoche site doesn't seem to be as "official" as dalailama.com: [But it's been around since 2009/2010 and the name is the same as the Dalai Lama's](http://web.archive.org/web/20100313171014/http://www.gyalwarinpoche.com/) [YouTube channel.](http://www.youtube.com/user/gyalwarinpoche) And the Whois information is similar: ----- _dalailama.com_ _gyalwarinpoche.com_ The Java-based exploit uses the same vulnerability as "Flashback", CVE-2012-0507. Current versions of Mac OS X and those with their browser's Java plugin disabled should be safe from the exploit. The malware dropped, Backdoor:OSX/Dockster.A, is a basic backdoor with file download and keylogger capabilities. This is not the first time gyalwarinpoche.com has been compromised and it certainly isn't [the first time Tibetan related NGOs have been targeted. Read more here and](https://www.f-secure.com/weblog/archives/00002334.html) [here.](https://www.f-secure.com/weblog/archives/00002348.html) There is also an exploit, CVE-2012-4681, with a Windows-based payload: Trojan.Agent.AXMO. MD5 info: Exploit:Java/CVE-2012-0507.A — 5415777DB44C8D808EE3A9AF94D2A4A7 Backdoor:OSX/Dockster.A — c6ca5071907a9b6e34e1c99413dcd142 Exploit:Java/CVE-2012-4681.H — 44a67e980f49e9e2bed97ece130f8592 Trojan.Agent.AXMO — c3432c1bbdf17ebaf1e10392cf630847 -----