Sophisticated 'Xagent' Malware for Stealing Passwords and iPhone Backups Now Targets Mac Users

Discussion in 'Politics, Religion, Social Issues' started by MacRumors, Feb 14, 2017.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    A new version of Xagent, malware reportedly created by Russian hacking group APT28, has been discovered, and this version targets Mac users.

    As outlined in a blog post by antivirus company Bitdefender (via Ars Technica), Xagent has previously been used to infiltrate Windows, iOS, Android, and Linux devices, but now Macs are vulnerable to attack as well. This is the first version of Xagent that's believed to be able to infiltrate Macs.

    [​IMG]

    The Mac version of Xagent is described as a backdoor that can be customized to do things like log passwords, detect system configurations, execute files, take screenshots of the display, and access iOS backups stored on the Mac.
    APT28 is the cyberespionage group that has been accused of hacking into the U.S. Democratic National Committee last year and interfering with the 2016 presidential election.

    Bitdefender isn't entirely sure how the Mac version of Xagent is being distributed to users, but it could be spread via a macOS malware downloader called Komplex, which exploits a vulnerability in the virus-like MacKeeper software. Research on the malware is ongoing.

    Mac users concerned about Xagent should avoid downloading anything that doesn't come from the Mac App Store or a well-known developer.

    Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

    Article Link: Sophisticated 'Xagent' Malware for Stealing Passwords and iPhone Backups Now Targets Mac Users
     
  2. canadianreader macrumors 6502

    canadianreader

    Joined:
    Sep 24, 2014
    #2
    No one is sure of anything in this article. Then russian hacker and stuff...
    Waiting for more information on this
     
  3. bluespark macrumors 65816

    Joined:
    Jul 11, 2009
    Location:
    New York
    #3
    A malware discussion is political? Everyone should be able to comment on this.
     
  4. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #4
    I can see why they put it in PRSI. If this is the same group that hacked the DNCC, this could get political really fast.

    BL.
     
  5. manu chao macrumors 603

    Joined:
    Jul 30, 2003
    #5
    Maybe it is time that MacKeeper is classified as malware by anti-malware applications ...
     
  6. BasicGreatGuy Contributor

    BasicGreatGuy

    Joined:
    Sep 21, 2012
    Location:
    In the middle of several books.
  7. Paul Dawkins Suspended

    Paul Dawkins

    Joined:
    Dec 15, 2016
    Location:
    Stonehenge
  8. killawat macrumors 65816

    Joined:
    Sep 11, 2014
    #8
    I expect Xprotect to be updated shorty.
     
  9. JosephAW macrumors 65816

    JosephAW

    Joined:
    May 14, 2012
    #9
    This week I saw some strange spam from my iCloud account. Might have been a phishing attempt.
     
  10. keysofanxiety macrumors 604

    keysofanxiety

    Joined:
    Nov 23, 2011
    #10
    It is. MalwareBytes deletes it.
     
  11. rshrugged macrumors 6502a

    Joined:
    Oct 11, 2015
    #11
    It's an early report on a breaking story. I'm sure more specifics will be forthcoming when available. If MR hadn't done the story, many would not know about it. Keeping members/visitors informed is part of MR' mission.
     
  12. aaronhead14 macrumors 6502

    aaronhead14

    Joined:
    Mar 9, 2009
  13. John.B, Feb 14, 2017
    Last edited: Feb 14, 2017

    John.B macrumors 601

    John.B

    Joined:
    Jan 15, 2008
    Location:
    Holocene Epoch
    #13
    The attack vector is based on a vulnerability in Mackeeper.

    Keep that off your Mac and you'll be fine.
     
  14. ikramerica macrumors regular

    Joined:
    Apr 10, 2009
    #14
    How does being from a trusted developer help? All it takes is one infected person inside the company to let it in, then in theory it can infect a "trusted" app.
     
  15. hayesk macrumors 65816

    Joined:
    May 20, 2003
    #15
    How so? What's the method in which it spreads? And trusted apps are signed. Any modification is detected by Gatekeeper.
     
  16. John.B macrumors 601

    John.B

    Joined:
    Jan 15, 2008
    Location:
    Holocene Epoch
    #16
    It doesn't "spread", it's not a virus, it's malware:

    Russian cyberspies blamed for U.S. election hacks are now targeting Macs

    The user installs software with a vulnerability (in this case, Mackeeper), then visits a website specifically designed to exploit that vulnerability, which downloads a Trojan, at which point the command and control network takes over.

    The irony is that the user installing so-called "security software" such as Mackeeper actually installs the vulnerability that allows their computer to be hacked in the first place.
     
  17. H2SO4 macrumors 68040

    Joined:
    Nov 4, 2008
    #17
    That’s not what it says is it, (whilst you may be right)?
    ………..not entirely sure how the Mac version of Xagent is being distributed to users, but it could be spread via a macOS malware downloader called Komplex, which exploits a vulnerability in the virus-like MacKeeper software
     
  18. Kajje macrumors 6502a

    Kajje

    Joined:
    Dec 6, 2012
    Location:
    Asia
    #18
    Installation of that Mackeeper pest should be blocked on firmware level.
     
  19. justperry macrumors 604

    justperry

    Joined:
    Aug 10, 2007
    Location:
    In the core of a black hole.
    #19
    Totally agree, there is no need to do maintenance in MacOS, sadly some people fall into this aggressive marketing pit this company uses, Apple should block this App from ever running on MacOS.
     
  20. rshrugged macrumors 6502a

    Joined:
    Oct 11, 2015
    #20
    More information on this issue from @thomasareed. He's unable to post here because he has less than 100 posts.

    He wanted to let us "know that this new "XAgent" variant of Komplex has absolutely no relation to a MacKeeper exploit. The writer has conflated this variant with one specific older variant from 2015. As much as I'd like to be able to blame MacKeeper, that vulnerability was closed in 2015, and there's no indication whatsoever that MacKeeper is in any way involved with the "XAgent" variant."





    (Mr. Reed works for Malwarebytes and codes Malwarebytes Anti-Malware for Mac. Prior to this he developed Adware Medic and wrote extensively about security matters, and other Mac matters, at thesafemac((dot))com.)
     
  21. Goatllama macrumors 6502a

    Goatllama

    Joined:
    Jun 24, 2015
    Location:
    Mountaintop Lair
    #21
    Wish I could like this post 10 times and bump it right to the top. MacKeeper definitely makes for a great scapegoat. :D
     

Share This Page