Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

'Xagent' malware arrives on Mac, steals passwords, screenshots, iPhone backups

Last updated

A Russian hacking group accused of interfering with last year's presidential election has evolved its Xagent malware package, known for its ability to infiltrate Windows, iOS, Android and Linux devices, to target Macs, according to a report on Tuesday.

Uncovered by security research firm and antivirus builder Bitdefender, the Mac strain of Xagent is similar to its predecessors in that it acts as a modular backdoor for intruders, reports Ars Technica.

Once the malware is installed, likely through the Komplex downloader, it checks for the presence of a debugger. If none is found, Xagent waits for an internet connection to reach out to command and control servers, which in turn activate specific payload modules, Bitdefender explains. As a Mac malware, most C&C URLs impersonate Apple domains.

The Xagent payload includes modules capable of searching a target Mac's system configuration, offloading running processes and executing code. More troubling is the malware's ability to grab desktop screenshots, steal web browser passwords and offload iPhone backups. The latter capability is perhaps most important from an intelligence-gathering standpoint, Bitdefender says.

While an exact lineage has yet to be determined, the security firm believes APT28 is behind the Mac form of Xagent.

"Our past analysis of samples known to be linked to APT28 group shows a number of similarities between the Sofacy/APT28/Sednit Xagent component for Windows/Linux and the Mac OS binary that currently forms the object of our investigation," the report reads.

Circumstantial evidence suggests APT28, also known as Sofacy, Sednit, Fancy Bear and Pawn Storm, has deep ties with the Russian government. Last year, the group allegedly hacked the Democratic National Committee and leaked emails through WikiLeaks during the 2016 presidential election.

Bitdefender notes its investigation into Xagent is ongoing.

Today's development comes less than a week after security researchers discovered a new Mac malware seemingly originating out of Iran. Called "MacDownloader," the nefarious software attempts to fool users into downloading the package by presenting a fake Adobe Flash Player dialog, then — inexplicably and in this case ironically — another window claiming to be an "Adware Removal Tool by Bitdefender."

After years of priding itself on its "virus free" Mac OS X platform, Apple is becoming increasingly susceptible to targeted malware attacks. The shift in hacker attention from Windows to Apple products is likely due to the success of iOS, an operating system used by a huge percentage of smartphone users worldwide.



36 Comments

daven 16 Years · 722 comments

That sounds sophisticated. I'm impressed. I'm also worried. What is the infection method? Web site? Email? 

tyler82 18 Years · 1107 comments

And who's to say there isn't some cardinal malware that has been able to access everything on all of our electronics for years that has not yet been discovered?

slprescott 10 Years · 759 comments

And most importantly... how do we protect our Macs?

john.b 16 Years · 2733 comments

And most importantly... how do we protect our Macs?

Keep Mackeeper off your Mac. 

Edit: I give up trying to cite anything on the new AI forum software with an iPhone. Check Ars Technica or MR for more information. 

MplsP 8 Years · 4047 comments

Ditto the above comments. The article fails to answer two critical questions:
How is it being spread?
How do we find out if we're infected?