Malware

New Sabpab Backdoor Variant Found

Posted on March 8th, 2013 by

Every now and again, we'll see new variants of popular malware families, especially when those malware families are commonly used in targeted attacks. Today's new variant is from the Sabpab family that has previously been used to target Tibetan activists. This time it was found on VirusTotal as a Java archive, which acts as a dropper. Once run, it creates a backdoor on the machine that connects to a remote site (www.coremail.info) to await commands.

The trojan creates a LaunchAgent in an affected user's Library folder to persist after reboot. It uses the same file name as previous variants:

  • com.apple.PubSabAgent.plist.

It also copies itself inside the user's Preferences folder using the following file name:

  • com.apple.PubSabAgent.pfile

One notable piece of behavior is that this backdoor trojan will take screenshots and post them, encrypted, on Microsoft's public developer network forums.

This new variant is detected with existing virus definitions. Intego VirusBarrier users with up-to-date virus definitions will detect and remove the SabPab backdoor.

  • macgig

    ive used macs 23 years online. never had a virus or spyware yet. either I”m very lucky or this is not a major problem for macs.

    • LysaMyers

      It’s a growing problem – there’s always a chance that a Mac user (or even a Windows user) can “be lucky” and dodge malware for a time, but it’s an increasingly risky idea as the number of malware events continues to increase. Given the amount of time and difficulty it takes to fix problems after the fact (both on the affected computer and from any data theft that occurs), it’s better to be safe than sorry.

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}