APT28, an allegedly state-backed Russian hacking group that has been accused of hacking the Democratic National Committee in the United States, has been upping its game. Security researchers have discovered that the group is now using the Xagent payload that can target those running macOS to steal passwords, take screenshots and steal iPhone backups stored on the Mac.
APT28 is back in the news - now with a new Mac malware
A new version of Xagent malware, reportedly created by Russian hacking group APT28, has been discovered targeting Mac users. Xagent has previously been used to target Windows, iOS, Android, and Linux devices. However, in a first for Xagent, Macs are also vulnerable to its latest version.
Security researchers at Bitdefender Labs uncovered a sophisticated package that the group used to target Macs. APT28 (aka Fancy Bear or Strontium) has long been known for its advanced use of cyber-espionage tools for penetrating Windows, Linux, iOS and Android devices. The group is now apparently also capable of attacking those on Macs.
The sample we are discussing today has been linked to the Mac OSX version of Xagent component from Sofacy/APT28/Sednit APT. This modular backdoor with advanced cyber-espionage capabilities is most likely planted on the system via the Komplex downloader.
Once successfully installed, the backdoor checks if a debugger is attached to the process. If it detects one, it terminates itself to prevent execution. Otherwise, it waits for an Internet connection before initiating communication with the C&C servers.
After the communication has been established, the payload starts the modules. Our preliminary analysis shows most of the C&C URLs impersonate Apple domains.
This modular backdoor with advanced cyber-espionage capabilities not only allows harvesting browser passwords and capturing screenshots, but also enables the attackers to exfiltrate iPhone backups stored on a compromised Mac.
Where do the Mac OS spy modules fall into place?
The analysis reveals the presence of modules that can probe the system for hardware and software configurations, grab a list of running processes and run additional files, as well as get desktop screenshots and harvest browser passwords.
But the most important module, from an intelligence-gathering perspective, is the one that allows the operator(s) to exfiltrate iPhone backups stored on a compromised Mac.
Researchers believe Xagent Mac malware is being distributed to users via a macOS malware downloader called Komplex. Komplex exploits a vulnerability in the MacKeeper antivirus kit. The investigation into this Xagent Mac malware continues and Bitdefender researchers have promised to share a detailed paper very soon.