Mac malware

Russian cyberspies known as APT28 have created a Mac version of their famous XAgent (X-Agent, Sofacy) malware, which already has versions for Windows, iOS, and Android.

The XAgentOSX malware, as the group calls it, includes several artefacts and shared components that link it to its Windows version, according to Bitdefender and Palo Alto researchers, who discovered attacks where this Mac variant was used.

Regular users have nothing to worry about, since XAgentOSX is a malware threat only deployed in targeted and politically motivated attacks, being detected in a very small number of incidents.

APT28 behind XAgentOSX

The group behind these attacks is identified by security firms under the primary name of APT28, but also under the names of Sednit, Fancy Bear, Pawn Storm, Sofacy, Tsar Team, and Strontium.

The group's main malware families include XAgent, a modular backdoor trojan for Windows, Mac, iOS, and Android; Fysbis, a simple backdoor for Linux systems; DealersChoice, a Flash exploitation framework; and Komplex, a malware dropper for Mac systems.

According to Bitdefender and Palo Alto, APT28 uses the Komplex malware to infect Mac systems, and then drop the XAgentOSX variant. Researchers discovered Komplex last September.

XAgentOSX is a complex piece of malware

XAgentOSX works like its Windows counterpart, meaning it will report to its C&C server and await new instructions. These commands can vary from searching the local system for certain files, and up to instructions to download and execute other malware.

Under the hood, XAgentOSX is a modular malware, meaning APT28 can send new modules to each infected victim and support new features.

These can range from the ability to collect hardware and software info about each infected target, search files, delete files, download new files, take screenshots, dump browser passwords, upload stolen data to an FTP server, and other.

XAgentOSX tied to Komplex dropper

According to Bitdefender's Tiberius Axinte, XAgentOSX's main feature appears to be the component that can search and steal iPhone backups.

Axinte also says that "the Komplex component discovered in September has been exclusively used as a downloader and installer for the Xagent binary."

This show a concentrated effort from APT28 into developing new malware specifically for macOS. The iOS version of XAgent has been around since late 2014.

APT28 is one of the two Russian-linked cyber-espionage groups that have hacked into the Democratic National Committee's email server in 2015 and 2016.

According to cyber-security firm CrowdStrike, APT28 deployed the Android version of XAgent to spy on the movements of Ukrainian artillery troops in the ongoing conflict in eastern Ukraine.