Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Mac Malware Linked to ‘Luckycat’ Attack Campaign

Researchers at Kaspersky Lab have found a link between an advanced persistent threat known as Luckycat and a strain of Mac malware.

Researchers at Kaspersky Lab have found a link between an advanced persistent threat known as Luckycat and a strain of Mac malware.

The malware, known as SabPub, has been spotted spreading through malicious Microsoft Word documents exploiting the same Java vulnerability targeted by the now-notorious Flashback Trojan. The malware is believed to have first appeared earlier this year, and works by installing a backdoor on a compromised machine that allows it to receive commands from a remote server.

Mac MalwareThe Trojan has been linked by researchers at Kaspersky Lab to an ongoing attack campaign known as Luckycat. The campaign was reported by Trend Micro to be going after targets ranging from Tibetan activists to military research, aerospace and energy companies in India and Japan. A subsequent investigation by the New York Times identified a former graduate student from Sichuan University, in Chengdu, China.

Between June 2011 and March 2012, Luckycat has been linked to at least 90 attacks, Trend Micro said at the time.

“We are pretty sure the SabPub backdoor was created as far back as February 2012 and was distributed via spear-phishing emails,” blogged Costin Raiu of Kaspersky Lab. “It is also important to point that SabPub isn’t backdoor MaControl (the case was described here) but still uses the same topics to trick victims into opening it.

SabPub was the more effective attack because it remained undetected for almost two months!” SabPub is in many ways a basic backdoor Trojan horse, opined Sophos Senior Technology Consultant Graham Cluley.

“It connects to a control server using HTTP, receiving commands from remote hackers as to what it should do,” he noted. “The criminals behind the attack can grab screenshots from infected Macs, upload and download files, and execute commands remotely.”

In a previous blog post, Raiu noted that the Java exploits were obfuscated using Zelix KlassMaster to avoid detection by anti-malware products.

It has been a rough week for Mac security. The explosive growth of the Flashback Trojan dominated headlines lately, though the number of infections has tapered off. Part of the reason for that may be increased attention from the security community, which has released a number of free tools to remove the malware. Apple jumped into fray with its own tool as well.

“It’s time for Mac users to wake up and smell the coffee,” blogged Cluley. “Mac malware is becoming a genuine issue, and cannot be ignored any longer.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cybercrime

More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.