Kaspersky has issued a press release highlighting the Backdoor.OSX.SabPub.a threat. The lab claims that SabPub has been confirmed as an Advanced Persistent Threat. (It is possible to detect and remove the SabPub threat using an Amsys tool.)
The release states that: “Unlike the Flashfake Trojan, which has revealed the theoretical dangers of an unprotected Mac OS X environment, the new malware is an example of how a vulnerable Apple computer can be fully controlled by cybercriminals.”
The release reads as follows:
The new backdoor was spotted by Kaspersky Lab researchers in early April 2012. Similar to Flashfake (also known as Flashback), it used certain vulnerabilities in Java Virtual Machine. The number of users infected with this malware is relatively low, which also suggests this backdoor is used in targeted attacks. After activation on an infected system, it connects to a remote website for instructions. The command and control server was hosted in the US and used a free dynamic DNS service to route the infected computers’ requests.
Subsequent events confirmed the initial theory that SabPub was part of a targeted attack. Kaspersky Lab’s experts set up a fake victim machine, infected by the backdoor and on 15 April discovered some unusual activity. The attackers seized control of the infected system and started analysing it. They sent commands to view the contents of the root and home folders and even downloaded some of the fake documents stored in the system. This analysis was most likely performed manually and not using some automated system, which is unlikely in the widespread ‘mass-market’ malware. Therefore, it can be confirmed that this backdoor is an example of an Advanced Persistent Threat in active use.
During the analysis of the backdoor, more details were uncovered about the infection vector of a targeted attack. Kaspersky Lab’s researchers have found six Microsoft Word documents, all of them containing the exploit. Two of them drop the SabPub payload. The attempt to open another four documents on a vulnerable system leads to infection with another Mac-specific malware. The contents of one of the SabPub-related documents contained direct references to the Tibetan community. Meanwhile, the obvious connection between SabPub and another targeted attack for Windows-based machines known as LuckyCat points to diverse and widespread criminal activity with the same origin.
Alexander Gostev, chief security expert at Kaspersky Lab, commented: “The SabPub backdoor once again reveals that not a single software environment is safe from attack. The relatively low number of malware for Mac OS X does not mean better protection. The most recent incidents like Flashfake and SabPub indicate that the personal data of unprotected Mac users is also at risk, either because cybercriminals understand the rising market share of such machines or because they are hired for the direct task of attacking Apple computers.”
The Backdoor.OSX.SabPub.a malware, along with the relevant exploits, is detected and remediated by Kaspersky Anti-Virus 2011 for Mac. More details about this Backdoor are available in the initial report and follow-up analysis at Securelist.com.