‘Xagent’ Malware Hits the Mac, Targets Passwords, iPhone Backups, More

A group of Russian hackers, known as “APT28,” who allegedly interfered with last year’s U.S. presidential election have added the Mac to the list of devices its Xagent malware package can attack.

Ars Technica:

Like its counterparts for other platforms, the Mac version of Xagent is a modular backdoor that can be customized to meet the objectives of a given intrusion, researchers from antivirus provider Bitdefender reported in a blog post published Tuesday. Capabilities include logging passwords, snapping pictures of screen displays, and stealing iOS backups stored on the compromised Mac.

Malware Grabs Passwords, iOS Backups

The malware is installed via the Komplex downloader and immediately checks for the presence of a debugger. Bitdefender says it then waits until an Internet connection is available to reach out to command and control servers, which then activate specific payload modules. Most of the C&C URLs impersonate Apple domains.

Capabilities include logging passwords, snapping pictures of screen displays, and stealing iOS backups stored on the compromised Mac.

The discovery builds on the already considerable number of tools attributed to APT28, which other researchers call Sofacy, Sednit, Fancy Bear, and Pawn Storm. According to researchers at CrowdStrike and other security firms, APT28 has been operating since at least 2007 and is closely tied to the Russian government. An analysis Bitdefender published last year determined APT28 members spoke Russian, worked mostly during Russian business hours, and pursued targets located in Ukraine, Spain, Russia, Romania, the US, and Canada.

Group Could be the DNC Hackers

There is circumstantial evidence pointing to APT28 as the group that allegedly hacked the Democratic National Committee, leaking emails via WikiLeaks during the 2016 U.S. presidential campaign.

“Our past analysis of samples known to be linked to APT28 group shows a number of similarities between the Sofacy/APT28/Sednit Xagent component for Windows/Linux and the Mac OS binary that currently forms the object of our investigation,” the Bitdefender researchers wrote in Tuesday’s report. “For once, there is the presence of similar modules, such as FileSystem, KeyLogger, and RemoteShell, as well as a similar network module called HttpChanel.”

The Mac operating system enjoyed years of being considered “virus free,” but in recent times has been the subject of increased attention by hackers, mostly due to its connection with Apple’s popular iOS device lineup.

Just last week, malware was discovered on the Mac that relied on an “oldie but a goodie” type of attack, presenting itself as an Adobe Flash Player update. The “update” actually grabs a copy of the user’s Keychain, phishes for usernames and passwords, and harvests other personal information wherever it may be available. The data is then sent back to a remote location.