In an earlier blog, I mentioned that this malware, which like the highly prevalent Flashback variant exploits CVE-2012-0507, seems to have been around for longer than Symantec’s recent write-up might indicate. Kaspersky’s Costin Raiu has, in the course of a useful description of the malware, confirmed that it seems to have been created on 16th March. In fact, Intego’s Philippe Devallois has suggested it might even have been a little earlier.
Even more interesting is Raiu’s subsequent blog confirming a link between SabPab (or SabPub – vendor detection names vary) and APT attacks labelled Luckycat. He suggests a link with attacks on Tibetan activists and notes the use of a number of Word documents exploiting the CVE-2009-0563 buffer overflow vulnerability in Microsoft Office.
An article by The Register’s Richard Chirgwin also refers.
David Harley CITP FBCS CISSP