Mac ‘LuckyCat’ trojan variant spreads via Microsoft Word documents

“A new version of a backdoor trojan for Apple’s OS X operating system takes advantage of an exploit in Microsoft Word to spread,” Sam Oliver reports for AppleInsider.

“The latest variant of the attack known as ‘LuckyCat’ was discovered and detailed by Costin Raiu, Kasperskky lab expert,” Oliver reports. “He found that a dummy infected machine was taken over by a remote user who started analyzing the machine and even stole some documents from the Mac.”

Oliver reports, “The new Mac-specific trojan, named ‘Backdoor.OSX.SabPub.a,’ uses a Java exploit to infect targeted machine. It spreads through Microsoft Word documents that exploit a vulnerability known as “‘CVE-2009-0563.'”

Read more in the full article here.


  1. Who the fk needs flash, serves all u idiots right for allowing this stupid shit to run on your computer. Same goes for words documents, that’s why we have pages

  2. I think it is important to note that the 2 primary methods of attacking a Mac are:

    1. Social Engineering – essentially hacking the user.
    2. Weaknesses in 3rd party products. – especially any product that can accept and execute any kind of code.

    Actual OS X viruses, worms, trojans, etc. are unicorns. They exist in the imaginations of security software vendors who must by definition sell FUD.

    Anyone who says the Mac is no more safe than Windows isn’t reading the daily threat blogs and has not heard of things like TDL-4. Also anyone that maintains that the Mac is only more secure due to obscurity is unaware of how much a functioning Mac botnet is worth in the underworld. They must also acknowledge the counter argument I.e. that Windows machines are inherently less secure due to sheer numbers.

    Nonetheless, it would be foolish to implement any security polices and practices not equal to those you would implement in a comparable Windows environment. It won’t kill ya to be cautious.

    1. It’s also important to note how trivially easy it is to remove this crap once discovered. It’s not like Windows where software can bury itself deep in the registry, where it takes something akin to an exorcism to get rid of it.


      1. I remember when MS first introduced the Registry. A colleague was trying to explain how wonderful it was, and I kept asking why not individual config files, which is what Apple would go on to do with .plist files in OS X.

  3. I’m not an apologist, but ultimately, for me, even if Apple ends up being no more secure than any other system, and it was all “security through obscurity” I’ve still had many, many years without all the hassles that go with Windows.

  4. That’s an easy one… don’t use Microsoft Office for Mac unless absolutely necessary and use LibreOffice OR iWork instead and steer clear of *.doc where applicable!

  5. So, are they saying that the Java holes that were just plugged for the Flashback thing don’t apply? Or would you only be vulnerable IF you didn’t apply the recent upgrade plugs? Can someone clarify?

    Apple needs to have a talk with the Java people. I bet Steve would have been on the horn ASAP.

  6. Before we all start panicking, has anyone taken the time to follow the links, and read the vulnerability info?

    It appears to be the case that:

    1. The Word vulnerability they are referring to is from three years ago, and applies to older versions for both Windows and Mac, including Word 2004 and 2008. No mention of Word 2011.

    2. There doesn’t seem to be any mention of the recent Java fixes being applied to the Kaspersky test system that is infected. Seems like an important piece of information to have.

    Unless there is more info somewhere, this could be another case of an AV company trying to make headlines, rather than a very serious problem. Too bad we don’t have enough information to actually determine that.

    1. You seem to infer that Mac users should just keep current with Office versions (and pay up in the mean time).

      IMHO many new Mac users no longer have Office on their machines. If they do, it is because they got tricked into it by incompentent salespeople.
      Mac users who have upgraded MacOSX with each new version may still have an old version installed, e.g.,
      Our only copy of Office runs on my wife’s 2002 iMac. Sometimes Word starts up unintentionally, but we don’t actually use it. It could as well be deleted altogether.

      1. Not at all. I was simply pointing out that there isn’t much useful information available about this. Do we know that MSFT hasn’t patched Word 2004 or 2008? Do we know that this attack isn’t blocked by the latest Java update? I have yet to find any evidence one way or another. This whole thing came from some “security researcher’s blog” on the Kaspersky web site. Some technical information there, but not enough for anyone to be able to determine how series this threat really is.

        That was my point.

        To your point, if you stay on down rev software long enough, you aren’t going to be able to get security fixes for it. That’s just reality. I don’t see how that’s going to change.

  7. I just finished listening to Security Weekly episode 283 podcast with Paul Asadoorian, Larry Pesce, and Carlos Peres. Paul and Larry are corporate pentesters, with Paul also being the Tenable Security evangelist and Carlos being the lead researcher of post exploitation for Tenable Security who bring you the Nesus vulnerability scanner.

    These guys were talking over the Mac and the current malware hitting OS X and all three all agree it is time to run AV on a Mac. They were just laughing how all the Mac fanboys discount using AV even after this new large hit on OS X and the obvious future of coming malware that will be coming to OS X.

    1. So I did some more digging, and the article this links to describes their experiments with a Mac that apparently doesn’t have the latest Java patches, and refers to a Word vulnerability that was patched back in 2009. Of course, the author didn’t point that out, because in the anti-Malware business, you don’t do yourself any favors by pointing out that if your software is up-to-date, the “huge problem” isn’t really a huge problem.

      OS X does have an anti-malware system built-in called “X-protect,” and while it didn’t prevent the apparently large number of machines from being infected, neither did any other 3rd-party anti-Malware software on the Mac.

      No platform is completely safe from malware. To think that the Mac is invulnerable is delusional. That doesn’t mean there is some huge wave of Mac malware coming any second now.

      Bottom line: On the Mac, as with any platform, don’t be an idiot.

      1. Do run software update regularly, do keep your third-party software current.
      2. Avoid high-risk technologies like Java and Flash, and don’t download “cracked” versions of commercial software from “Warez” sites.

      This will avoid most problems. If you feel that running a third-party AV product makes you more secure, go for it.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.