A BitDefender post reported that they havefound a macOS malware that is likely part of APT28’s armoury. APT28 is a Russian cyberespionage group going by many names including Fancy Bear, Pawn Storm, Sofacy Group, Sednit and STRONTIUM.
They are also the same group that was blamed for hacking into the U.S. Democratic National Committee last year. Oh and by the way it has been speculated with likelihood that the group is tied to the Russian Military Intelligence Service (GRU). Their attack patterns favour spear-phising, as well as malware – including X-Agent.
While there has been many X-Agent variants for Windows, Linux, Android, and iOS, this time the Trojan is a variant targeting macOS. According to BitDefender, the X-Agent can now target victims running Mac OS X to steal passwords, grab screens and steal iPhone backups stored on the Mac.
So far it is not know how the entire attack chain looks like – the research team only managed to get their hands on a sample. Although its highly likely that the malware is planted on the system using the Komplex MacOS malware downloader. If a debugger is detected, the malware terminates itself before executing. Otherwise, it waits for an internet connection to link up to a command & control (C&C) server.
Once connected the malware can probe the system for hardware and software configurations, grab a list of running processes and run additional files, as well as get desktop screenshots and harvest browser passwords. More notably, is that operators of the Malware can get access to iPhone backups stored on a compromised Mac.
BitDefender is continuing their investigations, with further analysis set to be announced on a later date.