Java makes Apple pain: another trojan attack
Recently, Russian Anti-Virus company Doctor Web, found that the Flashback Mac Trojan had infected more than 600,000 systems, further quashing the myth that Apple’s OS X is somehow immune to malware threats.
The Trojan exploited three Java vulnerabilities to gain remote access to the infected systems and likely included a keylogger capability to capture authentication credentials.
Now researchers at Kaspersky Labs have discovered another OSX backdoor that utilizes a Java exploit. The Trojan, dubbed “SabPub”, uses the an obfuscator to attempt to bypass antivirus protection.
"The Java exploits appear to be pretty standard, however, they have been obfuscated using ZelixKlassMaster, a flexible and quite powerful Java obfuscator. This was obviously done in order to avoid detection from anti-malware products," writes Kaspersky’s Costin Raiu.
Analysis leads Raiu to believe that the malware was designed for use in targeted attacks.
"This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks. After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine," said Raiu.
SabPub, which may have been in the wild for about a month, is now known to connect to Command and Control servers hosted on a VPS located in Fremont, California, called “Onedumb.com”.
"Onedumb.com is a free dynamic DNS service. Interesting, the C&C at IP 199.192.152.* was used in other targeted attacks (known as “Luckycat”) in the past," Raiu wrote.
"One other important detail is that the backdoor has been compiled with debug information - which makes its analysis quite easy. This can be an indicator that it is still under development and it is not the final version," he continued.
Early analysis has not determined the exact mechanism for the spread of SubPub, but researchers suspect the use of emails containing a malicious URL as the primary method of delivery.
"At the moment, it is not clear how users get infected with this… Several reports exist which suggest the attack was launched through e-mails containing an URL pointing to two websites hosting the exploit, located in US and Germany," Raiu explained.