Categories: MacSecurityWorkspace

Another Mac APT Attack Spotted

A rare Apple Mac-focused Advanced Persistent Threat (APT) has been spotted by security firm Kaspersky, just days after security companies and the iPhone maker started to succeed in tackling the Flashback malware.

The Russian firm discovered the new APT in analysing an old one, known as LuckyCat. The latter APT was using the MacControl malware.

APTs see cyber criminals trying to get continual intelligence from their targets, managing malware on victim machines.

During its investigations, Kaspersky discovered six malicious Microsoft Word documents, four of which were installing the MacControl malware. The other two were dropping a Mac-focused bit of malicious software known as SabPub.

A ‘more effective’ Mac attack

SabPub has used the same trick as MacControl to dupe users into downloading. In both cases spear phishing emails have been sent out to users, focusing on the Dalai Lama and theTibetan community. But Kaspersky said “SabPub was more effective because it stayed undetected for more than 1.5 months.”

The SabPub malware is also using Java exploits to infect Mac OS X machines, just as the now-notorious Flashback Trojan did.

There are two variants of SabPub, both of which were created in the past couple of months. Kaspersky found a sample of one variant was uploaded to VirusTotal on 25 February from two US sources, with zero detections found. The most recent variant was created in March.

To analyse the threat and monitor what the attackers were doing, Kaspersky set up a fake infected system. The Russian security firm found the attackers were manually going inside the machine, pinching some of the documents Kaspersky had deliberately placed there.

“We are pretty confident the operation of the bot was done manually — which means a real attacker, who manually checks the infected machines and extracts data from them,” said Costin Raiu, director for the Kaspersky global research and analysis team, in a blog post. “We can therefore confirm SabPub as an APT in active stage.

“SabPub is still an active attack and we expect the attackers will release new variants of the bot … over the next days/weeks,” Raiu added.

Kaspersky’s findings again point to the vulnerability of Mac machines, which were once considered the safest computers around. Traditionally, hackers have targeted Windows systems much more than Apple computers, but the growth of Mac users has led to a shift in the landscape.

Flashback infected over 600,000 machines until Apple and the security community effectively killed off the threat last week.

Think you know security? Test yourself with our quiz.

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • These trojans spread very slowly and Apple normally has a signature for these in a day or two. I doubt it will get much traction.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

5 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

8 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

9 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

10 hours ago