Apple Mac Attacking Malware Xagent Linked To Russian Hacker Group APT28

Roland Moore-Colyer,

The malware can steal passwords and exfiltrate iPhone backup data

Apple Mac infecting malware has been uncovered by cyber security firm Bitdefender, which has attributed the password-stealing malicious code Xagent to Russian hacker group APT28.

Xagent has previously been used to target Windows, iOS, Android and Linux devices, but Apple’s Mac OS X was thought to be immune to the malware.

The malware can steal passwords, grab screenshots, and exfiltrates backps of iPhones stored on targeted Macs, as well as execute other malicious code on infected machines, through the creation of backdoor, which Bitdefender notes is likely planted on the system through exploiting the Komplex downloader trojan.

Xagent on Mac OS X

apple-macos-sierra-3Once successfully installed, the backdoor checks if a debugger is attached to the process. If it detects one, it terminates itself to prevent execution. Otherwise, it waits for an Internet connection before initiating communication with the C&C (control and command) servers. After the communication has been established, the payload starts the modules,” explained Tiberius Axinte, technical lead in Bitdefender’s Antimalware Lab.

“The analysis reveals the presence of modules that can probe the system for hardware and software configurations, grab a list of running processes and run additional files, as well as get desktop screenshots and harvest browser passwords.

“But the most important module, from an intelligence-gathering perspective, is the one that allows the operator(s) to exfiltrate iPhone backups stored on a compromised Mac.”

While Bitdefender does not know which organisations are being targeted by Xagent, it has found common components in the malware that have been used in malware attacks known to be linked to the APT28 hackers.

The cyber security company is still digging into Xagent, so cannot say for sure exactly where the Max-targeting malware originated from or how it is being used to conduct cyber attacks.

However, with the ability to exfiltrate data from targeted Macs, there is some logic to speculate that the malware is being used to conduct espionage operations, particularly given threat data from F-Secure shows that Russian is the most common source for reconnaissance based cyber attacks.  

For Mac users, it is advised that they avoid downloading anything that does not come from the official and vetted Mac App Store or an established developer in order to avoid the risk of Xagent finding it way onto their machines.

How much do you know about hackers? Take our quiz!