A renowned IT security/antivirus firm named Bitdefender, has recently identified that the latest strain of Xagent for the Mac which is being used as a backdoor for the attackers. After this malware is installed using Komplex downloader, it looks for debugger’s presence and if it is not found it waits for a network connection to be enabled and to contact to its C&C servers. Then the attackers will activate specific payload modules.
APT28, a Russian hacking group is believed to be playing a crucial role in the development of these tools to infiltrate and infected the systems that run on iOS, Windows, Linux and Android. Perhaps now their only target has become the Mac devices, which is they are reports about one Mac malware after another one.
In a blog post published on Tuesday, the researchers at Bitdefender explained that Xagent’s Mac version could be made to perform tasks like obtaining passwords, intrusion, taking screenshots and stealing iOS backups that are stored on infected Mac device. Xagent is a payload with the modules that can search the system configuration of Mac devices, the offload running processes and launch the executable codes.
The aspect which hinted at the involvement of the APT28 [Pdf] in distribution of Xagent is a file path located in malware’s binary file which showed writer of Komplex developed it. Komplex is a first-stage Trojan that was used by Sofacy too to compromise devices. According to the findings of Bitdefender researchers, Xagent’s Mac version is being planted by Komplex too.
The APT28 group has been active since 2007 and shares close ties with the Russian government. The group’s members are well-versed in Russian and operate according to Russian business timings while they usually attack Ukraine, Romania, US, Canada and Spain, which probably are facts that led to the assumption that it is linked with Russia.