Saturday, April 14, 2012

SabPub Mac OS X Backdoor: Java Exploits, Targeted Attacks and Possible APT link

Via (Kaspersky) -

We can confirm yet another Mac malware in the wild - Backdoor.OSX.SabPub.a being spread through Java exploits.

This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks. After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine.

The remote C&C website - rt*** is hosted on a VPS located in the U.S, Fremont, CA.

“” is a free dynamic DNS service. Interesting, the C&C at IP 199.192.152.* was used in other targeted attacks (known as “Luckycat”) in the past.


The Java exploits appear to be pretty standard, however, they have been obfuscated using ZelixKlassMaster, a flexible and quite powerful Java obfuscator. This was obviously done in order to avoid detection from anti-malware products.

At the moment, it is not clear how users get infected with this, but the low number and it’s backdoor functionality indicates that it is most likely used in targeted attacks. Several reports exist which suggest the attack was launched through e-mails containing an URL pointing to two websites hosting the exploit, located in US and Germany.

The timing of the discovery of this backdoor is interesting because in March, several reports pointed to Pro-Tibetan targeted attacks against Mac OS X users. The malware does not appear to be similar to the one used in these attacks, though it is possible that it was part of the same or other similar campaigns.

One other important detail is that the backdoor has been compiled with debug information - which makes its analysis quite easy. This can be an indicator that it is still under development and it is not the final version.


Kaspersky redacted part of the C2 info, but Symantec did not...

Symantec - OSX.Sabpab
Next, the Trojan connects to the following location and opens a back door on the compromised computer: hxxp://

No comments:

Post a Comment