Researchers at Kaspersky Lab have confirmed that a new variant of malware targeting Macs is a directed attack. Called SabPub, the Trojan allows the attackers full control over the system, and unlike Flashback - the other Mac malware dominating the headlines - this one seems to have a distinct reason for living.
Kaspersky calls the SabPub discovery proof that it is an APT. I, along with many others in the industry, am not a fan of the term mostly because its roots are in marketing and not security. However, at the heart of the term is the notion that someone is deliberately attacking an organization’s network or assets, and they’re doing so with little to no resistance. In this case, that’s exactly what SabPub is doing.
SabPub's infection levels are low, something that marks it as a possible directed attack, Kaspersky says. It spreads via Microsoft Word documents, and leverages the same Java vulnerability used by Flashback in order to gain a foothold on the computer. Once it is installed on a Mac, it will connect to a C&C and wait for instructions. On a whim, Kaspersky installed SabPub on a test system and let it run.
“The attackers seized control of the infected system and started analyzing it. They sent commands to view the contents of root and home folders and even downloaded some of the fake documents stored in the system. This analysis was most likely performed manually, and not using some automated system, which is unlikely in the widespread “mass-market” malware. Therefore, it can be confirmed that this backdoor is an example of an Advanced Persistent Threat in active use,” the Russian security firm explained in a statement.
“The contents of one of the SabPub-related documents contained direct references to the Tibetan community. Meanwhile, the obvious connection between SabPub and another targeted attack for Windows-based machines known as LuckyCat points to diverse and widespread criminal activity with the same origin.”
It’s important to remember that this latest Mac threat isn’t Mac alone. Windows users are just as vulnerable to it depending on their system setup and personal computing habits.
“The SabPub backdoor once again reveals that not a single software environment is invulnerable,” Kaspersky’s Chief Security Expert, Alexander Gostev, said.
For more information, SecurityWeek’s Brian Prince covered Kaspersky’s earlier SabPub research last week. You can read that article here. In related news, Symantec has also discovered a variant of SabPub. Their analysis is here.