There’s a new version of a backdoor trojan in the wild for OS X which spreads via an exploit in Microsoft Word. The “LuckyCat” variant allows take over by a remote user.
The latest variant of the attack known as “LuckyCat” was discovered and detailed by Costin Raiu, Kasperskky lab expert. He found that a dummy infected machine was taken over by a remote user who started analyzing the machine and even stole some documents from the Mac.
“We are pretty confident the operation of the bot was done manually — which means a real attacker, who manually checks the infected machines and extracts data from them,” said Raiu in a post on SecureList.
The new Mac-specific trojan, called “Backdoor.OSX.SabPub.a,” infects the targeted machine via a Java exploit. It then spreads through Microsoft Word documents exploiting a vulnerability known as “CVE-2009-0563.”
This new trojan stayed undetected for over a month and a half before it came alive and data was manually obtained from the infected computer.
There are at least two variants of the “SabPub” trojan, which is being classified as an “active attack”.