SabPub is a “custom OS X backdoor” application that gives attackers access to an infected Mac. It was first detected in the wild in April in China, according to Kaspersky researcher Costin Raiu.
“After it is activated on an infected system, it connects to a remote website in typical C&C [command and control] fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine”, Raiu explained in a blog.
From there, SabPub runs instructions to download other malicious components that can be used to log keystrokes and enroll the infected host in a botnet. Raiu said that clues in the malware suggest that it is still under development.
“At the moment, it is not clear how users get infected with this, but the low number and it’s backdoor functionality indicates that it is most likely used in targeted attacks. Several reports exist which suggest the attack was launched through e-mails containing an URL pointing to two websites hosting the exploit, located in US and Germany”, he wrote.
In a subsequent blog, Raiu explained that researchers found evidence that the SabPub was connected with an advanced persistent threat (APT) known as LuckyCat. Researchers discovered over the weekend that an APT attacker took over a “fake” Mac infected with the SabPub backdoor Trojan that Kaspersky researchers had set up.