Categories: MacSecurityWorkspace

Another Mac APT Attack Spotted

A rare Apple Mac-focused Advanced Persistent Threat (APT) has been spotted by security firm Kaspersky, just days after security companies and the iPhone maker started to succeed in tackling the Flashback malware.

The Russian firm discovered the new APT in analysing an old one, known as LuckyCat. The latter APT was using the MacControl malware.

APTs see cyber criminals trying to get continual intelligence from their targets, managing malware on victim machines.

During its investigations, Kaspersky discovered six malicious Microsoft Word documents, four of which were installing the MacControl malware. The other two were dropping a Mac-focused bit of malicious software known as SabPub.

A ‘more effective’ Mac attack

SabPub has used the same trick as MacControl to dupe users into downloading. In both cases spear phishing emails have been sent out to users, focusing on the Dalai Lama and theTibetan community. But Kaspersky said “SabPub was more effective because it stayed undetected for more than 1.5 months.”

The SabPub malware is also using Java exploits to infect Mac OS X machines, just as the now-notorious Flashback Trojan did.

There are two variants of SabPub, both of which were created in the past couple of months. Kaspersky found a sample of one variant was uploaded to VirusTotal on 25 February from two US sources, with zero detections found. The most recent variant was created in March.

To analyse the threat and monitor what the attackers were doing, Kaspersky set up a fake infected system. The Russian security firm found the attackers were manually going inside the machine, pinching some of the documents Kaspersky had deliberately placed there.

“We are pretty confident the operation of the bot was done manually — which means a real attacker, who manually checks the infected machines and extracts data from them,” said Costin Raiu, director for the Kaspersky global research and analysis team, in a blog post. “We can therefore confirm SabPub as an APT in active stage.

“SabPub is still an active attack and we expect the attackers will release new variants of the bot … over the next days/weeks,” Raiu added.

Kaspersky’s findings again point to the vulnerability of Mac machines, which were once considered the safest computers around. Traditionally, hackers have targeted Windows systems much more than Apple computers, but the growth of Mac users has led to a shift in the landscape.

Flashback infected over 600,000 machines until Apple and the security community effectively killed off the threat last week.

Think you know security? Test yourself with our quiz.

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • These trojans spread very slowly and Apple normally has a signature for these in a day or two. I doubt it will get much traction.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago