Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Mac Malware Linked to ‘Luckycat’ Attack Campaign

Researchers at Kaspersky Lab have found a link between an advanced persistent threat known as Luckycat and a strain of Mac malware.

Researchers at Kaspersky Lab have found a link between an advanced persistent threat known as Luckycat and a strain of Mac malware.

The malware, known as SabPub, has been spotted spreading through malicious Microsoft Word documents exploiting the same Java vulnerability targeted by the now-notorious Flashback Trojan. The malware is believed to have first appeared earlier this year, and works by installing a backdoor on a compromised machine that allows it to receive commands from a remote server.

Mac MalwareThe Trojan has been linked by researchers at Kaspersky Lab to an ongoing attack campaign known as Luckycat. The campaign was reported by Trend Micro to be going after targets ranging from Tibetan activists to military research, aerospace and energy companies in India and Japan. A subsequent investigation by the New York Times identified a former graduate student from Sichuan University, in Chengdu, China.

Between June 2011 and March 2012, Luckycat has been linked to at least 90 attacks, Trend Micro said at the time.

“We are pretty sure the SabPub backdoor was created as far back as February 2012 and was distributed via spear-phishing emails,” blogged Costin Raiu of Kaspersky Lab. “It is also important to point that SabPub isn’t backdoor MaControl (the case was described here) but still uses the same topics to trick victims into opening it.

SabPub was the more effective attack because it remained undetected for almost two months!” SabPub is in many ways a basic backdoor Trojan horse, opined Sophos Senior Technology Consultant Graham Cluley.

“It connects to a control server using HTTP, receiving commands from remote hackers as to what it should do,” he noted. “The criminals behind the attack can grab screenshots from infected Macs, upload and download files, and execute commands remotely.”

In a previous blog post, Raiu noted that the Java exploits were obfuscated using Zelix KlassMaster to avoid detection by anti-malware products.

It has been a rough week for Mac security. The explosive growth of the Flashback Trojan dominated headlines lately, though the number of infections has tapered off. Part of the reason for that may be increased attention from the security community, which has released a number of free tools to remove the malware. Apple jumped into fray with its own tool as well.

Advertisement. Scroll to continue reading.

“It’s time for Mac users to wake up and smell the coffee,” blogged Cluley. “Mac malware is becoming a genuine issue, and cannot be ignored any longer.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.