Earlier this month, it was reported that a certain malware is infecting Mac OS X machines. The malware was identified as BackDoor.Flashback.39–a Trojan that targets an unpatched JavaScript codes (CVE-2011-3544, CVE-2008-5353 and CVE-2012-0507) vulnerabilities within Mac OS.  More than 600,000 Macs were said to be infected by the persistent malware.

Apple released two security updates to resolve the issue and is working on an antidote that would eliminate the threat as well as hunt the Trojan author but pundits aren’t happy with how Apple is handling the situation.  They want Apple to work faster, resolve the issue and make sure that nothing like this happens again.  But the threat is persistent.  And here’s why:  there’s a new malware in town.

SabPubs

Security experts recently identified a new breed of backdoor Trojans, the Backdoor.OSX.SabPub.a which Kaspersky Lab Expert Costin Raiu recently proved is linked to Luckycat–a campaign that targeted industries and/or communities from aerospace, energy, engineering, shipping, military research, and Tibetan activists.

Aside from the fact that both are backdoor Trojans, what links the two is the command-and-control (C&C) at IP 199.192.152.* used in both of them.

As a typical procedure when a threat is identified, security experts create a fake system and infect it with the malware so they can observe how it works.  The first two days of observation were uneventful but the third day gave them quite a surprise.

“On the morning of Sunday April 15, the traffic generated by the C&C changed,” Raiu explains.  “The attackers took over the connection and started analysing our fake victim machine. They listed the contents of the root and home folders and even stole some of the goat documents we put in there!”

Raiu is confident in their conclusion that SabPub has a real attacker that manually checks the infected machines and extracts data from them.

“It connects to a control server using HTTP, receiving commands from remote hackers as to what it should do,” Sophos Senior Technology Consultant Graham Cluley noted. “The criminals behind the attack can grab screenshots from infected Macs, upload and download files, and execute commands remotely.”

It is believed that the SabPub was created back in February of this year and spread thru spear-phising.  It was also reported that a second version of SabPub was found and believed to have been created last March.  And this is the malware that uses the Java exploits to wreak havoc in Macs.  Experts believe that there are more SabPub variations not yet found or will be released in the future.

Raiu also stated in one of his earlier posts that the attacks weren’t quickly identified as it was using ZelixKlassMaster, a flexible and quite powerful Java obfuscator to hide the attacks.