New Mac malware uses Flashback Java exploit

Apple’s decision to push out a Flashback malware removal tool for OS X Lion bundled with a new Java security update has proven to be rather fortunate, as a new Mac OS X threat has been discovered taking advantage of the vulnerability (CVE-2012-0507) exploited by the latest Flashback variants.

The security update in question configures the Java web plug-in to disable the automatic execution of Java applets in browsers, a move that should prevent users from inadvertently falling victim to similar drive-by malware attacks in the future.

In the meantime, those who haven’t installed the update are at risk of getting their machines compromised by a newly detected backdoor Trojan that Kaspersky Lab researchers dubbed SabPub.

“This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks,” shared Costin Raiu. “After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine.”

Initial results of the available sample have revealed that the C&C domain the malware contacts was previously used in the “LuckyCat” targeted attacks apparently originating from China and directed at Indian and Japanese targets.

In order to dig deeper in the matter and hopefully discover more about the individuals behind the malware, the researchers infected a machine and let it contact the C&C.

“For the entire day, the traffic was just basic handshakes and exchanges, nothing more,” Raiu shared. On the morning of Sunday April 15, the traffic generated by the C&C changed. The attackers took over the connection and started analyzing our fake victim machine. They listed the contents of the root and home folders and even stole some of the goat documents we put in there!”

They also believe that the search and the exfiltration of the data was performed by an actual human attacker.

While analyzing the SabPub malware variant they had on their hands, they received another – one that differs ever so slightly from the previous one and seems to have been created earlier.

Tracing its origin by the MD5, the discovered that the variant was uploaded for testing to VirusTotal on February 25, 2012 from two sources in the US, and that at the time all the AV solutions VirusTotal uses failed to detect it as malware.

The name of the file was in both cases “10th March Statemnet”, which the researchers believe to be a boobytrapped Word document supposedly containing the the Dalai-Lama’s statement related to Anniversary of the Tibetan People’s National Uprising Day on March 10, 2011.

“We think the above facts show a direct connection between the SabPub and Luckycat APT attacks. We are pretty sure the SabPub backdoor was created as far back as February 2012 and was distributed via spear-phishing emails,” says Raiu, and adds that the APT behind SabPub is clearly still active.