New Backdoor Proves to Be an Advanced Persistent Threat for Mac Users

The notorious Flashfake Trojan that helped to create a botnet of 700k+ Mac computers may be the most prominent example of vulnerabilities in a Mac OS X environment, but it is certainly not alone. Kaspersky Lab’s researchers have discovered another malicious program that targets Apple computers, which has subsequently been confirmed as an Advanced Persistent Threat. Unlike the Flashfake Trojan, which has uncovered the theoretical dangers of an unprotected Mac OS X environment, the new malware known as Backdoor.OSX.SabPub.a is a real example of how a vulnerable Apple computer could be fully controlled by cybercriminals.

The new backdoor was spotted in the wild in early April 2012. Similar to Flashfake, it used certain vulnerabilities in Java Virtual Machine. The number of users infected with this malware is relatively low, which also suggests this backdoor is used in targeted attacks. After activation on an infected system, it connects to a remote website for instructions. The command and control server was hosted in the US, and used a free dynamic DNS service to route the infected computers’ requests.

Subsequent events confirmed the initial theory that SabPub was part of a targeted attack. Kaspersky Lab’s experts set up a fake victim machine, infected by the backdoor, and on 15 April discovered some unusual activity. The attackers seized control of the infected system and started analyzing it. They sent commands to view the contents of root and home folders and even downloaded some of the fake documents stored in the system. This analysis was most likely performed manually, and not using some automated system, which is unlikely in the widespread “mass-market” malware. Therefore, it can be confirmed that this backdoor is an example of an Advanced Persistent Threat in active use.

During the analysis of the backdoor, more details were uncovered about the infection vector of a targeted attack. Kaspersky Lab’s researchers have found six Microsoft Word documents, all of them containing the exploit. Two of them drop the SabPub payload. The attempt to open another four documents on a vulnerable system leads to infection with another Mac-specific malware. The contents of one of the SabPub-related documents contained direct references to the Tibetan community. Meanwhile, the obvious connection between SabPub and another targeted attack for Windows-based machines known as LuckyCat points to diverse and widespread criminal activity with the same origin.

Alexander Gostev, Chief Security Expert at Kaspersky Lab, commented: “The SabPub backdoor once again reveals that not a single software environment is invulnerable. The relatively low number of malware for Mac OS X does not mean better protection. The most recent incidents like Flashfake and SabPub indicate that the personal data of unprotected Mac users is also at risk, either because cybercriminals understand the rising market share of such machines, or because they are hired for the direct task of attacking Apple computers.”

The Backdoor.OSX.SabPub.a malware, along with the relevant exploits, is detected and remediated by Kaspersky Anti-Virus 2011 for Mac. More details about this Backdoor are available in the initial report and follow-up analysis at Securelist.com.