APTs refer to cyber-espionage campaigns—a series of failed and successful attempts to compromise specific targets’ networks over time. APTs aim to establish persistent, covert presence in a target’s network in order to extract information as necessary.
While socially engineered emails designed to lure a target to execute malicious attachments are often used as an initial attack vector, those behind APT campaigns make use of a variety of “second-stage” malware downloads, usually Remote Access Trojans (RATs), and seek to acquire credentials that enable them to maintain presence (e.g., legitimate VPN access) without using malware.
APT attacks continue to adapt to the changing network landscapes of their targets. Earlier this year, Trend Micro documented the operation of a campaign known as “Luckycat,” which used a variety of malicious software to compromise their targets’ networks. They also used a variety of second-stage malware, which gave them an additional foothold in compromised networks.
During a recent investigation of a Luckycat C&C server, we found malware for the Android, Mac OS X, and Windows platforms. The malware for the Mac OS X platform known as “SabPub” was previously discovered and linked to the Luckycat campaign. SabPub was delivered both via malicious Word documents that exploit CVE-2009-0563 and a Java vulnerability, CVE-2012-0507.5 On this Luckycat C&C server, we found that SabPub is still being distributed via a Java exploit.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.