'Xagent' malware arrives on Mac, steals passwords, screenshots, iPhone backups

Posted:
in Mac OS X edited February 14
A Russian hacking group accused of interfering with last year's presidential election has evolved its Xagent malware package, known for its ability to infiltrate Windows, iOS, Android and Linux devices, to target Macs, according to a report on Tuesday.




Uncovered by security research firm and antivirus builder Bitdefender, the Mac strain of Xagent is similar to its predecessors in that it acts as a modular backdoor for intruders, reports Ars Technica.

Once the malware is installed, likely through the Komplex downloader, it checks for the presence of a debugger. If none is found, Xagent waits for an internet connection to reach out to command and control servers, which in turn activate specific payload modules, Bitdefender explains. As a Mac malware, most C&C URLs impersonate Apple domains.

The Xagent payload includes modules capable of searching a target Mac's system configuration, offloading running processes and executing code. More troubling is the malware's ability to grab desktop screenshots, steal web browser passwords and offload iPhone backups. The latter capability is perhaps most important from an intelligence-gathering standpoint, Bitdefender says.

While an exact lineage has yet to be determined, the security firm believes APT28 is behind the Mac form of Xagent.

"Our past analysis of samples known to be linked to APT28 group shows a number of similarities between the Sofacy/APT28/Sednit Xagent component for Windows/Linux and the Mac OS binary that currently forms the object of our investigation," the report reads.

Circumstantial evidence suggests APT28, also known as Sofacy, Sednit, Fancy Bear and Pawn Storm, has deep ties with the Russian government. Last year, the group allegedly hacked the Democratic National Committee and leaked emails through WikiLeaks during the 2016 presidential election.

Bitdefender notes its investigation into Xagent is ongoing.

Today's development comes less than a week after security researchers discovered a new Mac malware seemingly originating out of Iran. Called "MacDownloader," the nefarious software attempts to fool users into downloading the package by presenting a fake Adobe Flash Player dialog, then -- inexplicably and in this case ironically -- another window claiming to be an "Adware Removal Tool by Bitdefender."

After years of priding itself on its "virus free" Mac OS X platform, Apple is becoming increasingly susceptible to targeted malware attacks. The shift in hacker attention from Windows to Apple products is likely due to the success of iOS, an operating system used by a huge percentage of smartphone users worldwide.
gbdoc
«1

Comments

  • Reply 1 of 36
    davendaven Posts: 387member
    That sounds sophisticated. I'm impressed. I'm also worried. What is the infection method? Web site? Email? 
    r00fus1brakkendysamoria
  • Reply 2 of 36
    And who's to say there isn't some cardinal malware that has been able to access everything on all of our electronics for years that has not yet been discovered?
  • Reply 3 of 36
    And most importantly... how do we protect our Macs?
    lostkiwibrakkendysamoria
  • Reply 4 of 36
    john.bjohn.b Posts: 2,669member
    And most importantly... how do we protect our Macs?
    Keep Mackeeper off your Mac. 

    Edit: I give up trying to cite anything on the new AI forum software with an iPhone. Check Ars Technica or MR for more information. 

    edited February 14 watto_cobra
  • Reply 5 of 36
    Ditto the above comments. The article fails to answer two critical questions:
    How is it being spread?
    How do we find out if we're infected?
    SolilostkiwisandorStrangeDaystokyojimudysamoria
  • Reply 6 of 36
    98% chance the infection method involves the user allowing access to an installer and it isn't coming from the App store or an identified developer.
    lostkiwiwatto_cobrajony0
  • Reply 7 of 36
    It's suspected MacKeeper is the infection method. 
    watto_cobra
  • Reply 8 of 36
    I'm also curious what the vector is by which this is capable of spreading. Seems a bit of fear-mongering about capabilities without solutions for end users to protect themselves against these threats.
    lostkiwiSpamSandwichdysamoria
  • Reply 9 of 36
    It's suspected MacKeeper is the infection method. 
    What is MacKeeper? How does one end up with it?
  • Reply 10 of 36
    eightzeroeightzero Posts: 1,425member
    Great reporting. "Scary stuff out there. Good luck"

    jdwquadra 610pscooter63lostkiwibrakkenSpamSandwichjbishop1039dysamoria
  • Reply 11 of 36
    jdwjdw Posts: 442member
    Ditto Eightzero.  This article is crazy for not giving us the information we need to take action.
    SpamSandwichdysamoria
  • Reply 12 of 36
    It's suspected MacKeeper is the infection method. 
    What is MacKeeper? How does one end up with it?
    You are apparently new to the internet. Welcome! And remember, don't download MacKeeper
    john.bwatto_cobraStrangeDaysSpamSandwich
  • Reply 13 of 36
    lkrupplkrupp Posts: 4,530member
    “After years of priding itself on its “virus free” Mac OS X platform, Apple is becoming increasingly susceptible to targeted malware attacks.” A virus and malware are two different things. So-called targeted malware attacks have absolutely nothing to do with the security and integrity of macOS. Instead they rely on the stupidity of the user. Fake Flash updaters have been around for years but people still fall for them. Apple doesn’t even support Flash by default anymore. You have to download and install it yourself. That this new malware appears to use MacKeeper as its infection vector is more proof that users are the problem, NOT macOS. MacKeeper is itself considered by many to be malware yet people still install it. Bottom line? You can’t fix stupid.

    edited February 14 john.bwatto_cobraStrangeDaysjbishop1039
  • Reply 14 of 36
    lkrupplkrupp Posts: 4,530member
    And most importantly... how do we protect our Macs?
    By not being stupid and paying attention to what you are clicking on. As with all malware, YOU the user must do something to get infected. It doesn’t happen without YOUR input. It’s not magic, it’s not a virus, it’s trickery. When you get a pop-up saying you need to update Flash, IGNORE it! When an offer is too good to be true, IGNORE it!
    john.bpscooter63watto_cobraStrangeDays
  • Reply 15 of 36
    lkrupplkrupp Posts: 4,530member

    tyler82 said:
    And who's to say there isn't some cardinal malware that has been able to access everything on all of our electronics for years that has not yet been discovered?
    That is a condition known as paranoia.
    macxpressJanNLStrangeDays
  • Reply 16 of 36
    tyler82 said:
    And who's to say there isn't some cardinal malware that has been able to access everything on all of our electronics for years that has not yet been discovered?

    There is. It has been hiding in plain sight. It's called the Apple Ecosystem!!
    watto_cobra
  • Reply 17 of 36

    MacKeeper really tries so hard to get installed.

    Something new I've seen off-late is that some websites I visit have a pop-up which spoofs the Apple Domain and says that my machine needs to be scanned for viruses (virii?).

    Shit like that is how these infections happen.

    watto_cobra
  • Reply 18 of 36
    irnchrizirnchriz Posts: 1,463member
    As with the majority of malware it is installed by fooling the user to click on something to initiate the install. You have to worry about the new malware on windows coming to other platforms, the type that uses zero day exploits to inject itself into the OS without user interaction, normally through flash adverts etc. These newer infections are 'fileless', sitting in memory before executing power shell commands which then encrypt file systems etc. 

    Its all fun...
    watto_cobra
  • Reply 19 of 36
    I thought we fixed this already in iOS, Lock it down! For all family, there is an admin password and all they can install comes from the app store. 99% of users will not need any random software of the internet.
  • Reply 20 of 36
    MplsP said:
    Ditto the above comments. The article fails to answer two critical questions:
    How is it being spread?
    How do we find out if we're infected?
    But does not fail to jump into that political propaganda and guesses with: "Last year, the group allegedly hacked the Democratic National Committee and leaked emails through WikiLeaks during the 2016 presidential election. "
    SpamSandwichcgWerks
Sign In or Register to comment.