Categories: MacSecurityWorkspace

Another Mac APT Attack Spotted

A rare Apple Mac-focused Advanced Persistent Threat (APT) has been spotted by security firm Kaspersky, just days after security companies and the iPhone maker started to succeed in tackling the Flashback malware.

The Russian firm discovered the new APT in analysing an old one, known as LuckyCat. The latter APT was using the MacControl malware.

APTs see cyber criminals trying to get continual intelligence from their targets, managing malware on victim machines.

During its investigations, Kaspersky discovered six malicious Microsoft Word documents, four of which were installing the MacControl malware. The other two were dropping a Mac-focused bit of malicious software known as SabPub.

A ‘more effective’ Mac attack

SabPub has used the same trick as MacControl to dupe users into downloading. In both cases spear phishing emails have been sent out to users, focusing on the Dalai Lama and theTibetan community. But Kaspersky said “SabPub was more effective because it stayed undetected for more than 1.5 months.”

The SabPub malware is also using Java exploits to infect Mac OS X machines, just as the now-notorious Flashback Trojan did.

There are two variants of SabPub, both of which were created in the past couple of months. Kaspersky found a sample of one variant was uploaded to VirusTotal on 25 February from two US sources, with zero detections found. The most recent variant was created in March.

To analyse the threat and monitor what the attackers were doing, Kaspersky set up a fake infected system. The Russian security firm found the attackers were manually going inside the machine, pinching some of the documents Kaspersky had deliberately placed there.

“We are pretty confident the operation of the bot was done manually — which means a real attacker, who manually checks the infected machines and extracts data from them,” said Costin Raiu, director for the Kaspersky global research and analysis team, in a blog post. “We can therefore confirm SabPub as an APT in active stage.

“SabPub is still an active attack and we expect the attackers will release new variants of the bot … over the next days/weeks,” Raiu added.

Kaspersky’s findings again point to the vulnerability of Mac machines, which were once considered the safest computers around. Traditionally, hackers have targeted Windows systems much more than Apple computers, but the growth of Mac users has led to a shift in the landscape.

Flashback infected over 600,000 machines until Apple and the security community effectively killed off the threat last week.

Think you know security? Test yourself with our quiz.

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • These trojans spread very slowly and Apple normally has a signature for these in a day or two. I doubt it will get much traction.

Recent Posts

US Regulator Approves SpaceX Falcon 9 Return To Service

US Federal Aviation Administration approves SpaceX's Falcon 9 rockets to return to service following second-stage…

17 hours ago

X Drops Unilever From Advertiser Lawsuit

Social media platform X drops Unilever from lawsuit against advertisers after reaching agreement on 'safety…

18 hours ago

US Lawmakers Seek Answers From Telcos Over China Hack

US Congressional Representatives ask for answers from AT&T, Verizon, Lumen Technologies after wiretap networks reportedly…

18 hours ago

Northvolt In Talks For 200m Euros In Short-Term Funding

Swedish EV battery start-up Northvolt in talks for 200m euros in short-term funding as it…

19 hours ago

US Labour Board Accuses Apple Of Slack Restrictions

US labour officials say Apple illegally restricted employees' right to discuss workplace issues on Slack…

19 hours ago