Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

'Xagent' malware arrives on Mac, steals passwords, screenshots, iPhone backups

Last updated

A Russian hacking group accused of interfering with last year's presidential election has evolved its Xagent malware package, known for its ability to infiltrate Windows, iOS, Android and Linux devices, to target Macs, according to a report on Tuesday.

Uncovered by security research firm and antivirus builder Bitdefender, the Mac strain of Xagent is similar to its predecessors in that it acts as a modular backdoor for intruders, reports Ars Technica.

Once the malware is installed, likely through the Komplex downloader, it checks for the presence of a debugger. If none is found, Xagent waits for an internet connection to reach out to command and control servers, which in turn activate specific payload modules, Bitdefender explains. As a Mac malware, most C&C URLs impersonate Apple domains.

The Xagent payload includes modules capable of searching a target Mac's system configuration, offloading running processes and executing code. More troubling is the malware's ability to grab desktop screenshots, steal web browser passwords and offload iPhone backups. The latter capability is perhaps most important from an intelligence-gathering standpoint, Bitdefender says.

While an exact lineage has yet to be determined, the security firm believes APT28 is behind the Mac form of Xagent.

"Our past analysis of samples known to be linked to APT28 group shows a number of similarities between the Sofacy/APT28/Sednit Xagent component for Windows/Linux and the Mac OS binary that currently forms the object of our investigation," the report reads.

Circumstantial evidence suggests APT28, also known as Sofacy, Sednit, Fancy Bear and Pawn Storm, has deep ties with the Russian government. Last year, the group allegedly hacked the Democratic National Committee and leaked emails through WikiLeaks during the 2016 presidential election.

Bitdefender notes its investigation into Xagent is ongoing.

Today's development comes less than a week after security researchers discovered a new Mac malware seemingly originating out of Iran. Called "MacDownloader," the nefarious software attempts to fool users into downloading the package by presenting a fake Adobe Flash Player dialog, then — inexplicably and in this case ironically — another window claiming to be an "Adware Removal Tool by Bitdefender."

After years of priding itself on its "virus free" Mac OS X platform, Apple is becoming increasingly susceptible to targeted malware attacks. The shift in hacker attention from Windows to Apple products is likely due to the success of iOS, an operating system used by a huge percentage of smartphone users worldwide.