14 DAY TRIAL // Mac OS X users are now the target of a massive campaign seeking to steal users' passwords, grab screens, and steal iPhone backups stored on the Mac.
According to BitDefender, this is the work of APT28, the same state-backed Russian group that was accused a few months back of hacking the Democratic National Committee. The new Mac-native variant of Xagent was observed in the wild, swiping passwords, smartphone backups and grabbing screenshots.
BitDefender's researchers state that the modules in the new Mac variant of Xagent have a number of similarities to the components built for Windows or Linux. Furthermore, the malware's command-and-control addresses are similar to the ones used by the APT28 group for Komplex, another malware tool used in its attacks.
How does it work?
"Once successfully installed, the backdoor checks if a debugger is attached to the process. If it detects one, it terminates itself to prevent execution. Otherwise, it waits for an Internet connection before initiating communication with the C&C servers. After the communication has been established, the payload starts the modules," reads BitDefender's blog.
Once connected, it seems the payload sends a HelloMessage before spawning two communication threats running in infinite loops. One sends information, while the latter receives the commands.
The malware scans the system for hardware and software configurations, grabs a list of running processes, and runs additional files. On top of this, it gets desktop screenshots and picks up browser password to completely spy on the Mac users.
"Our past analysis of samples known to be linked to APT28 group shows a number of similarities between the Sofacy/APT28/Sednit Xagent component for Windows/Linux and the Mac OS binary that currently forms the object of our investigation. For once, there is the presence of similar modules, such as FileSystem, KeyLogger and RemoteShell, as well as a similar network module called HttpChanel," the post reads.
Thankfully, BitDefender claims their updated software can detect and block such spy attacks, so at least there's that.