There are two variants of the Sabpab Trojan targeting Macs, according to security specialists. We reported earlier this week that Sabpab was targeting Macs using the same Java vulnerability that was used by the Flashback Trojan. Now the recently discovered Sabpab Trojan malware, is said to be targeting Macs using compromised Word documents, with the earliest version dating back to February 2012. There are concerns that Mac users who think that they are protected because they have updated Java with Apple's latest security update, are not safe from the latest vulnerability.
Kaspersky's Costin Raiu writes in the Securelist blog that: "At least two variants of the SabPub bot exist today". He adds that "The earliest version of the bot appears to have been created and used in February 2012. The malware is being spread through Word documents that exploit the CVE-2009-0563 vulnerability." He notes that "SabPub stayed undetected for more than 1.5 months." (More below)
Graham Cluley warns that: "Unlike the earlier sightings of Sabpab, there is nothing about this attack which relates to the Java vulnerability exploited by the Flashback botnet." Cluley wrote in his blog that: "Rather than relying upon a Java vulnerability - it appears to be exploiting malformed Word documents instead."
Cluley's concern is that: "Any Mac users who believe that they have protected themselves because they don't use Java probably needs to realise that that's not an effective defence".
It was previously thought that Sabpab used the same vulnerability in the OS X's Java plug-in to infect Macs. Sophos had earlier warned that just like Flashback - all that needs to happen is for you to visit an infected webpage. It had been thought that if you have updated Java on your Mac then you would be protected from the new threat, and most Mac anti-virus software will protect against Sabpab as well. This is not the case.
The Trojan works as follows, according to Cluley: "If you open the boobytrapped Word document on a vulnerable Mac, a version of the OSX/Sabpab Trojan horse gets installed on your computer opening a backdoor for remote hackers to steal information or install further code." He adds that: "Mac users may be caught out by the attack, as there is no prompt to enter your username or password when the malicious software installs itself onto your Mac."
Sophos anti-virus products will detect the Word documents as Troj/DocOSXDr-A, and protection against OSX/Sabpab-A has been updated to detect this variant also, Cluley notes, suggesting that Mac users install security software.
This Word exploit is nothing new. Cluley points to an earlier blog about another Mac malware, identified by AlienVault back in March. In that case the Trojan was hidden in a booby trapped Word document and relied upon a critical security vulnerability discovered in Microsoft Word back in 2009, which allowed remote code execution.
Cluley states that those earlier attacks exploited a known security vulnerability in Word, and: "Now the same technique is being used by cybercriminals to spread OSX/Sabpab." "In both incidents, the Word document displayed appears to relate to Tibet," he adds.
Kaspersky's Costin Raiu has also notes that the name of the file (“10th March Statemnet”) is directly linked with the Dalai-Lama and Tibetan community."
Raiu points to a "direct connection between the SabPub and Luckycat APT attacks". "We are pretty sure the SabPub backdoor was created as far back as February 2012 and was distributed via spear-phishing emails." Raiu describes the APT attack known as LuckyCat was difficult to track down. “One of the biggest mysteries is the infection vector of these attacks. Given the highly targeted nature of the attack, there are very few traces.”
However, "SabPub was the more effective attack because it remained undetected for almost two months!" Raiu says.
The second variant of SabPub was created in March and the attackers are using Java exploits to infect target Mac OS X machines, according to Raiu.
The Flashback Trojan outbreak hit 600,000 or more Macs at its height.