Attackers Targeting Mac Users With Another OS X Trojan, SabPub


Security researchers have identified another OS X Trojan that exploits a Java vulnerability that attackers used recently to build a botnet of more than 600,000 infected Macs.

The new Trojan, called SabPub, is a "custom OS X backdoor" that miscreants appear to have built in order to carry out targeted attacks, and there is evidence to suggest that they may be targeting pro-Tibetan activists, Costin Raiu, director of research and development at Kaspersky Lab, said in a Saturday blog post.

Like Flashback, SabPub requires no user interaction and installs itself on a machine when the user visits an infected Webpage.

Once it infects a machine, the SabPub Trojan attempts to connect to command and control servers in order to remotely harvest data, Raiu said in the blog post.

On Sunday, remote attackers took control of one of Kaspersky Lab's SabPub-infected test machines and stole some of the dummy files on it, which suggests an active Advanced Persistent Threat that is being controlled by an actual person, according to Raiu.

"We are pretty confident the operation of the bot was done manually -- which means a real attacker, who manually checks the infected machines and extracts data from them," Raiu said in a Sunday blog post.

Kaspersky also identified a second SabPub variant that appears to have been extracted from a Word document or was distributed as a Doc-file, Raiu said in the blog post.

Apple issued a patch for the Java vulnerability on April 4, but security researchers criticized the company for its slow response to the issue, which was brought to its attention in February.

Attackers used the Flashback malware to build a worldwide botnet encompassing some 670,000 infected machines. That figure has dropped considerably since Thursday, however, when Apple released an update for Mac OS X v10.7 and v10.6 that removes most common variants of Flashback.

Apple has also been working with Internet service providers to take down the command-and-control servers associated with the Flashback malware.