New version of Sabpab Mac Trojan emerges, spread via Word documents

Mac Word iconA new version of the Mac OS X Sabpab Trojan horse has come to light, and rather than relying upon a Java vulnerability – it appears to be exploiting malformed Word documents instead.

If you open the boobytrapped Word document on a vulnerable Mac, a version of the OSX/Sabpab Trojan horse gets installed on your computer opening a backdoor for remote hackers to steal information or install further code.

As a decoy, a Word document is dumped onto your drive and displayed – effectively acting as a camouflage for the Trojan’s true intentions:

Word document displayed as decoy

Sign up to our free newsletter.
Security news, advice, and tips.

Mac users may be caught out by the attack, as there is no prompt to enter your username or password when the malicious software installs itself onto your Mac.

Sophos anti-virus products already proactively detected the boobytrapped Word documents as Troj/DocOSXDr-A, and protection against OSX/Sabpab-A has been updated to detect this variant also.

This technique of infecting Mac users is not new. At the end of last month, warnings were issued about a new Mac malware attack that embedded itself inside boobytrapped Word documents.

Those attacks exploited a known security vulnerability (MS09-027) in Word, which allow hackers to remotely execute code on your computer without your knowledge.

Now the same technique is being used by cybercriminals to spread OSX/Sabpab.

In both incidents, the Word document displayed appears to relate to Tibet.

Bad appleUnlike the earlier sightings of Sabpab, there is nothing about this attack which relates to the Java vulnerability exploited by the Flashback botnet.

So, any Mac users who believe that they have protected themselves because they don’t use Java probably needs to realise that that’s not an effective defence.

And although there’s no reason to believe that this attack is widespread, it’s clearly time for some people to wake up to the reality of Mac malware.

Mac users – please get an anti-virus, for goodness sake. If you don’t want to pay for one, there is free anti-virus for Mac home users available for download.

Of course, it would also be sensible to update your installation of Microsoft Word – as a patch has been available for the vulnerability being exploited here since 2009. To make sure that your Office for Mac is patched, open up any program from the Office suite, and choose the “Check for updates” option from the Help menu.

You can find out more about the threat in Costin Raiu’s post on the Kaspersky blog.

Broken apple image, from ShutterStock


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.