Want To Keep Your Mac Clean? Don’t Use Word And Be A Known Tibetan Sympathizer
April 17, 2012

Want To Keep Your Mac Clean? Don’t Use Word And Be A Known Tibetan Sympathizer

Michael Harper for RedOrbit.com

Computer security agency Securelist has discovered yet another trojan targeting Macs.

Like the Flashback Trojan that made headlines last week, the new malware is also spread through Java exploits. Apple released 2 Java updates for Mac users last week, but the new malware, known as “Backdoor.OSX.SabPub” seems to spread despite the new patches. The new SabPub malware seems to be infected and be passed through Microsoft Office files and may even target Tibet sympathizers.

In order to track and monitor this new trojan, Securelist watched a “fake” infected system, a procedure they say is typical for when they look for Advanced Persistent Threat (APT) bots. This weekend, APT controllers took control of their fake machine and began to explore it.

The ports on the fake machine were closed on Friday, but then opened on Saturday. According to Securelist, “Saturday, the port was opened and bot started communicating with the C&C server. For the entire day, the traffic was just basic handshakes and exchanges, nothing more.”

Then on Sunday, the attackers behind the APT bot began to take over the machine and analyze its contents. It even stole a few documents placed there by Securelist.

The team believes these attacks were done manually by a real attacker who checks machines for data.

As they were watching the SabPub attack, they noticed another backdoor which had been created earlier. This new backdoor uses a Microsoft Office vulnerability and can infect both Windows and Mac users.

The attackers use spear-phishing to spread the virus. Spear-phishing is a practice wherein an attacker will target a smaller group of people rather than sending out thousands of random emails in hopes to catch a few victims. The attacker will choose close groups of people: co-workers, students in the same college or shoppers at the same online retailer. The attacker will then send out emails appearing to be from a common person or entity, making the attack all the more deceptive.

The attackers behind the new malware sent emails out to possible Tibetan sympathizers containing a malicious document titled “10thMarch Statemnet,” complete with typo and no extension. According to PCMag, “March 10, 2011, refers to the day the Dalai Lama delivered his annual speech observing the Tibetan Uprising of 1959.”

This word document was created in August of 2010, but was updated in February 2011 to include SabPub. Other experts say this kind of maneuver is normal for other APTs.

The malware can also spread through a Java vulnerability, much like the now popular Flashback. Once the backdoor Trojan is downloaded, the infected computer is then connected to a “command-and-control” center via HTTP. The botnet can then take screenshots, upload and download files, and even remotely execute commands.

SabPub leaves behind some evidence once it´s infected a computer. The files left behind are:



This isn´t the only recent trojan meant to attack Tibet Sympathizers. Late in March, security vendors found a OSX Trojan called “Tibet.C,” which also exploited word to spy on computers. This trojan is believed to originate with the GhostNet group of Chinese cyber spies.