Apple Mac Attacking Malware Xagent Linked To Russian Hacker Group APT28

Apple Mac infecting malware has been uncovered by cyber security firm Bitdefender, which has attributed the password-stealing malicious code Xagent to Russian hacker group APT28.

Xagent has previously been used to target Windows, iOS, Android and Linux devices, but Apple’s Mac OS X was thought to be immune to the malware.

The malware can steal passwords, grab screenshots, and exfiltrates backps of iPhones stored on targeted Macs, as well as execute other malicious code on infected machines, through the creation of backdoor, which Bitdefender notes is likely planted on the system through exploiting the Komplex downloader trojan.

Xagent on Mac OS X

Once successfully installed, the backdoor checks if a debugger is attached to the process. If it detects one, it terminates itself to prevent execution. Otherwise, it waits for an Internet connection before initiating communication with the C&C (control and command) servers. After the communication has been established, the payload starts the modules,” explained Tiberius Axinte, technical lead in Bitdefender’s Antimalware Lab.

“The analysis reveals the presence of modules that can probe the system for hardware and software configurations, grab a list of running processes and run additional files, as well as get desktop screenshots and harvest browser passwords.

“But the most important module, from an intelligence-gathering perspective, is the one that allows the operator(s) to exfiltrate iPhone backups stored on a compromised Mac.”

While Bitdefender does not know which organisations are being targeted by Xagent, it has found common components in the malware that have been used in malware attacks known to be linked to the APT28 hackers.

The cyber security company is still digging into Xagent, so cannot say for sure exactly where the Max-targeting malware originated from or how it is being used to conduct cyber attacks.

However, with the ability to exfiltrate data from targeted Macs, there is some logic to speculate that the malware is being used to conduct espionage operations, particularly given threat data from F-Secure shows that Russian is the most common source for reconnaissance based cyber attacks.

For Mac users, it is advised that they avoid downloading anything that does not come from the official and vetted Mac App Store or an established developer in order to avoid the risk of Xagent finding it way onto their machines.

How much do you know about hackers? Take our quiz!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

29 mins ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

45 mins ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

22 hours ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

23 hours ago

US Supreme Court Agrees To Hear TikTok Appeal

US Supreme Court says it will hear appeal of TikTok and parent ByteDance against ban…

24 hours ago