Mac Malware Linked to ‘Luckycat’ Attack Campaign

Researchers at Kaspersky Lab have found a link between an advanced persistent threat known as Luckycat and a strain of Mac malware.

The malware, known as SabPub, has been spotted spreading through malicious Microsoft Word documents exploiting the same Java vulnerability targeted by the now-notorious Flashback Trojan. The malware is believed to have first appeared earlier this year, and works by installing a backdoor on a compromised machine that allows it to receive commands from a remote server.

The Trojan has been linked by researchers at Kaspersky Lab to an ongoing attack campaign known as Luckycat. The campaign was reported by Trend Micro to be going after targets ranging from Tibetan activists to military research, aerospace and energy companies in India and Japan. A subsequent investigation by the New York Times identified a former graduate student from Sichuan University, in Chengdu, China.

Between June 2011 and March 2012, Luckycat has been linked to at least 90 attacks, Trend Micro said at the time.

“We are pretty sure the SabPub backdoor was created as far back as February 2012 and was distributed via spear-phishing emails,” blogged Costin Raiu of Kaspersky Lab. “It is also important to point that SabPub isn’t backdoor MaControl (the case was described here) but still uses the same topics to trick victims into opening it.

SabPub was the more effective attack because it remained undetected for almost two months!” SabPub is in many ways a basic backdoor Trojan horse, opined Sophos Senior Technology Consultant Graham Cluley.

“It connects to a control server using HTTP, receiving commands from remote hackers as to what it should do,” he noted. “The criminals behind the attack can grab screenshots from infected Macs, upload and download files, and execute commands remotely.”

In a previous blog post, Raiu noted that the Java exploits were obfuscated using Zelix KlassMaster to avoid detection by anti-malware products.

It has been a rough week for Mac security. The explosive growth of the Flashback Trojan dominated headlines lately, though the number of infections has tapered off. Part of the reason for that may be increased attention from the security community, which has released a number of free tools to remove the malware. Apple jumped into fray with its own tool as well.

“It’s time for Mac users to wake up and smell the coffee,” blogged Cluley. “Mac malware is becoming a genuine issue, and cannot be ignored any longer.”