Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
TRENDING TODAY
Home > News > Security > Virus alerts

April 16th, 2012, 09:33 GMT · By

New SabPub Mac Trojan Found to Be Linked to APT Attacks

SHARE:

Adjust text size:

SabPub masterminds manually list folder content
Enlarge picture
Security researchers from Kaspersky have found a new piece of malware that currently targets Mac OS X users. It’s called OSX.SabPub and it’s a backdoor Trojan that’s connected to the advanced persistent threat (APT) attacks known as Luckycat.

According to experts, currently there are at least two variants of SabPub, one of them being created sometime in February 2012.

Distributed in spear-phishing attacks and hiding as Microsoft document files, it’s believed that the piece of malware is designed to target Tibetan activists.

After performing a series of tests using a decoy system, Kaspersky Lab experts have been able to determine that the bot’s command and control (C&C) server was hosted on a VPS in Freemont, United States.

The cybercriminals that run the campaign have manually checked the “goat” system in an attempt to extract sensitive information from it.

“The attackers took over the connection and started analysing our fake victim machine. They listed the contents of the root and home folders and even stole some of the goat documents we put in there!,” Kaspersky’s Costin Raiu wrote.

While the variant of SabPub created in February leverages security holes found in Microsoft Office products, the newer version, developed in March, exploits Java vulnerabilities, similar to Flashback.

“The Java exploits appear to be pretty standard, however, they have been obfuscated using ZelixKlassMaster, a flexible and quite powerful Java obfuscator. This was obviously done in order to avoid detection from anti-malware products,” Raiu explained.

Currently, the APT that’s behind SabPub is active, researchers being confident that new variants will be seen in the upcoming days or weeks.

Unlike MaControl, another backdoor that was making the rounds in February 2012, SabPub is considered to be more effective because it managed to stay undetected for one and a half months.

Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile or follow me at @EduardKovacs1


2,482 hits
Link to this article · Print article · Send to friend

MUST-READ RELATED ARTICLES:


Russian Security Experts Analyze Backdoor.Flashback.39
KongFu Trojan Horse Hides in “Angry Birds Space” for Android
Samba Releases Update to Fix "Root" Credential Remote Code Execution
Java Vulnerability Exploited in the Wild by Flashback Mac Trojan
Pointer Corruption and Persistent Weakness Addressed by Skype (Video)

READER COMMENTS:



No user comments yet.
Be the first to express your opinion!
Copyright © 2001-2013 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2013 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use