Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Kaspersky Confirms New Mac Trojan Used for Targeted Attacks

Researchers at Kaspersky Lab have confirmed that a new variant of malware targeting Macs is a directed attack. Called SabPub, the Trojan allows the attackers full control over the system, and unlike Flashback – the other Mac malware dominating the headlines – this one seems to have a distinct reason for living.

Researchers at Kaspersky Lab have confirmed that a new variant of malware targeting Macs is a directed attack. Called SabPub, the Trojan allows the attackers full control over the system, and unlike Flashback – the other Mac malware dominating the headlines – this one seems to have a distinct reason for living.

Kaspersky calls the SabPub discovery proof that it is an APT. I, along with many others in the industry, am not a fan of the term mostly because its roots are in marketing and not security. However, at the heart of the term is the notion that someone is deliberately attacking an organization’s network or assets, and they’re doing so with little to no resistance. In this case, that’s exactly what SabPub is doing.

SabPub’s infection levels are low, something that marks it as a possible directed attack, Kaspersky says. It spreads via Microsoft Word documents, and leverages the same Java vulnerability used by Flashback in order to gain a foothold on the computer. Once it is installed on a Mac, it will connect to a C&C and wait for instructions. On a whim, Kaspersky installed SabPub on a test system and let it run.

“The attackers seized control of the infected system and started analyzing it. They sent commands to view the contents of root and home folders and even downloaded some of the fake documents stored in the system. This analysis was most likely performed manually, and not using some automated system, which is unlikely in the widespread “mass-market” malware. Therefore, it can be confirmed that this backdoor is an example of an Advanced Persistent Threat in active use,” the Russian security firm explained in a statement.

“The contents of one of the SabPub-related documents contained direct references to the Tibetan community. Meanwhile, the obvious connection between SabPub and another targeted attack for Windows-based machines known as LuckyCat points to diverse and widespread criminal activity with the same origin.”

It’s important to remember that this latest Mac threat isn’t Mac alone. Windows users are just as vulnerable to it depending on their system setup and personal computing habits.

“The SabPub backdoor once again reveals that not a single software environment is invulnerable,” Kaspersky’s Chief Security Expert, Alexander Gostev, said.

For more information, SecurityWeek’s Brian Prince covered Kaspersky’s earlier SabPub research last week. You can read that article here. In related news, Symantec has also discovered a variant of SabPub. Their analysis is here.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.