Backdoor:OSX/Sabpab.A connects to a remote server to receive further instructions, without the knowledge or permission from the user.
Manual Removal Instructions
- 1. Open Activity Monitor, select com.apple.PubSabAgent.pfile, and click Quit Process.
- 2. Open Terminal, then execute the following:
- rm ~/Library/Preferences/com.apple.PubSabAgent.pfile
- rm ~/Library/LaunchAgents/com.apple.PubSabAgent.plist
The malware drops the following copy of itself:
It creates the following launchpoint for the file above:
The malware connects to a remote server to obtain additional commands. The server varies between samples. As of this writing, there are two known servers:
The backdoor is capable of performing the following actions:
- Downloading and uploading files
- Creating new processes
- Taking screenshots