Researchers at Kaspersky Lab have confirmed that a new variant of malware targeting Macs is a directed attack. Called SabPub, the Trojan allows the attackers full control over the system, and unlike Flashback – the other Mac malware dominating the headlines – this one seems to have a distinct reason for living.
Kaspersky calls the SabPub discovery proof that it is an APT. I, along with many others in the industry, am not a fan of the term mostly because its roots are in marketing and not security. However, at the heart of the term is the notion that someone is deliberately attacking an organization’s network or assets, and they’re doing so with little to no resistance. In this case, that’s exactly what SabPub is doing.
SabPub’s infection levels are low, something that marks it as a possible directed attack, Kaspersky says. It spreads via Microsoft Word documents, and leverages the same Java vulnerability used by Flashback in order to gain a foothold on the computer. Once it is installed on a Mac, it will connect to a C&C and wait for instructions. On a whim, Kaspersky installed SabPub on a test system and let it run.
“The attackers seized control of the infected system and started analyzing it. They sent commands to view the contents of root and home folders and even downloaded some of the fake documents stored in the system. This analysis was most likely performed manually, and not using some automated system, which is unlikely in the widespread “mass-market” malware. Therefore, it can be confirmed that this backdoor is an example of an Advanced Persistent Threat in active use,” the Russian security firm explained in a statement.
“The contents of one of the SabPub-related documents contained direct references to the Tibetan community. Meanwhile, the obvious connection between SabPub and another targeted attack for Windows-based machines known as LuckyCat points to diverse and widespread criminal activity with the same origin.”
It’s important to remember that this latest Mac threat isn’t Mac alone. Windows users are just as vulnerable to it depending on their system setup and personal computing habits.
“The SabPub backdoor once again reveals that not a single software environment is invulnerable,” Kaspersky’s Chief Security Expert, Alexander Gostev, said.
For more information, SecurityWeek’s Brian Prince covered Kaspersky’s earlier SabPub research last week. You can read that article here. In related news, Symantec has also discovered a variant of SabPub. Their analysis is here.
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
- Nigerian Pleads Guilty in US to Million-Dollar BEC Scheme Role
- 900 US Schools Impacted by MOVEit Hack at National Student Clearinghouse
- City of Dallas Details Ransomware Attack Impact, Costs
- In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover
- Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks
- Researchers Discover Attempt to Infect Leading Egyptian Opposition Politician With Predator Spyware
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
