A Russian hacking group that has previously been linked to attacks on the Dutch ministry, NATO, and the Democratic National Committee (DNC) have also been linked to a new Mac malware. APT28 aka Fancy Bear/Sofacy/Sednit APT have reportedly added to their arsenal of software that has already been able to compromise Windows, Linux, Android, and IOS devices.
The latest module of the Xagent malware targets MacOS and is able to probe compromised systems for installed software and hardware, list running processes, download and run files, steal passwords, take screenshots of the desktop, and most notably, steal iPhone backups that are stored locally.
The analysis of the new Xagent module shows that once a machine is infected it will check for the presence of a debugger attached to the process (an anti-analysis technique). If no debugger is present, it will then check for an internet connection and spawn two processes to the Command and Control server (C&C). The first process will send information about the system to the C&C server and the second will listen for commands.
First reported by Bitdefender, who had obtained a sample of the malware last September, has provided circumstantial evidence tying ATP28 to the new malware.
As reported by Bitdefender, The similarities come from comparing the latest Xagent module to the Komplex Downloader trojan which was previously linked to ATP28.
The investigation found that they both are using a similar domain name that impersonates an apple domain for C&C. Komplex uses apple-[*******].net while Xagent uses apple-[*******].org (Note: both domains are redacted in the original report). Also contained within the binaries are the following static strings to the main executable:
Komplex: “/Users/kazak/Desktop/Project/komplex”
Xagent: “/Users/kazak/Desktop/Project/XAgentOSX”
Also, “there is the presence of similar modules, such as FileSystem, KeyLogger and RemoteShell, as well as a similar network module called HttpChanel.”