SabPub Mac Trojan in the wild, says Kaspersky

Hackers have targeted Apple users with a fresh Mac OS X Trojan, weeks after Apple released two OS X updates to combat the Flashback Trojan.

The SabPub Trojan is being controlled from a website hosted in Fremont, California, security company Kaspersky said in a blog post on Saturday.

"This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks," said Kaspersky researcher Costin Raiu. "The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine."

SabPub uses Java to drop executables that exploit the CVE-2012-0507 flaw patched by Oracle in February. The exploits have been obfuscated using the ZelixKlassMaster tool to avoid antivirus detection.

The malware may have been used in targeted attacks against pro-Tibetan organisations, Raiu said in a separate blog post on Sunday.

Tibetan activists are the subject of more attacks than the US government, security company FireEye said in a blog post on Friday.

During the course of an investigation into hacks of pro-Tibetan organisations, FireEye researcher Alex Lanstein sent emails to a number of activists. The email was intercepted, probably from a compromised system, and used in spear–phishing attacks against different pro-Tibetan groups.

The phishing attacks exploited "an older PDF vulnerability", and were written using a Chinese language keyboard, said Lanstein.

Relations between China and Western governments over cyber-operations have been less than smooth for a number of years.

China regards the US and UK as legitimate targets for cyberattack, but has been involved in wargames with the US in a bid to prevent military escalation, according to a Guardian article on Monday.