Another Mac APT Attack Spotted

The SabPub APT is still active and is going after Mac machines

A rare Apple Mac-focused Advanced Persistent Threat (APT) has been spotted by security firm Kaspersky, just days after security companies and the iPhone maker started to succeed in tackling the Flashback malware.

The Russian firm discovered the new APT in analysing an old one, known as LuckyCat. The latter APT was using the MacControl malware.

APTs see cyber criminals trying to get continual intelligence from their targets, managing malware on victim machines.

During its investigations, Kaspersky discovered six malicious Microsoft Word documents, four of which were installing the MacControl malware. The other two were dropping a Mac-focused bit of malicious software known as SabPub.

A ‘more effective’ Mac attack

SabPub has used the same trick as MacControl to dupe users into downloading. In both cases spear phishing emails have been sent out to users, focusing on the Dalai Lama and theTibetan community. But Kaspersky said “SabPub was more effective because it stayed undetected for more than 1.5 months.”

The SabPub malware is also using Java exploits to infect Mac OS X machines, just as the now-notorious Flashback Trojan did.

There are two variants of SabPub, both of which were created in the past couple of months. Kaspersky found a sample of one variant was uploaded to VirusTotal on 25 February from two US sources, with zero detections found. The most recent variant was created in March.

To analyse the threat and monitor what the attackers were doing, Kaspersky set up a fake infected system. The Russian security firm found the attackers were manually going inside the machine, pinching some of the documents Kaspersky had deliberately placed there.

“We are pretty confident the operation of the bot was done manually — which means a real attacker, who manually checks the infected machines and extracts data from them,” said Costin Raiu, director for the Kaspersky global research and analysis team, in a blog post. “We can therefore confirm SabPub as an APT in active stage.

“SabPub is still an active attack and we expect the attackers will release new variants of the bot … over the next days/weeks,” Raiu added.

Kaspersky’s findings again point to the vulnerability of Mac machines, which were once considered the safest computers around. Traditionally, hackers have targeted Windows systems much more than Apple computers, but the growth of Mac users has led to a shift in the landscape.

Flashback infected over 600,000 machines until Apple and the security community effectively killed off the threat last week.

Think you know security? Test yourself with our quiz.