Sophisticated 'Xagent' Malware for Stealing Passwords and iPhone Backups Now Targets Mac Users

MacRumors

macrumors bot
Original poster
Apr 12, 2001
49,007
10,363



A new version of Xagent, malware reportedly created by Russian hacking group APT28, has been discovered, and this version targets Mac users.

As outlined in a blog post by antivirus company Bitdefender (via Ars Technica), Xagent has previously been used to infiltrate Windows, iOS, Android, and Linux devices, but now Macs are vulnerable to attack as well. This is the first version of Xagent that's believed to be able to infiltrate Macs.


The Mac version of Xagent is described as a backdoor that can be customized to do things like log passwords, detect system configurations, execute files, take screenshots of the display, and access iOS backups stored on the Mac.
The sample we are discussing today has been linked to the Mac OSX version of Xagent component from Sofacy/APT28/Sednit APT. This modular backdoor with advanced cyber-espionage capabilities is most likely planted on the system via the Komplex downloader.

Once successfully installed, the backdoor checks if a debugger is attached to the process. If it detects one, it terminates itself to prevent execution. Otherwise, it waits for an Internet connection before initiating communication with the C&C servers.

After the communication has been established, the payload starts the modules. Our preliminary analysis shows most of the C&C URLs impersonate Apple domains.
APT28 is the cyberespionage group that has been accused of hacking into the U.S. Democratic National Committee last year and interfering with the 2016 presidential election.

Bitdefender isn't entirely sure how the Mac version of Xagent is being distributed to users, but it could be spread via a macOS malware downloader called Komplex, which exploits a vulnerability in the virus-like MacKeeper software. Research on the malware is ongoing.

Mac users concerned about Xagent should avoid downloading anything that doesn't come from the Mac App Store or a well-known developer.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Article Link: Sophisticated 'Xagent' Malware for Stealing Passwords and iPhone Backups Now Targets Mac Users
 

JosephAW

macrumors 68040
May 14, 2012
3,047
3,510
This week I saw some strange spam from my iCloud account. Might have been a phishing attempt.
 

rshrugged

macrumors 6502a
Oct 11, 2015
921
646
So what is the actual news here?
It's an early report on a breaking story. I'm sure more specifics will be forthcoming when available. If MR hadn't done the story, many would not know about it. Keeping members/visitors informed is part of MR' mission.
 

ikramerica

macrumors 6502
Apr 10, 2009
409
395
How does being from a trusted developer help? All it takes is one infected person inside the company to let it in, then in theory it can infect a "trusted" app.
 

hayesk

macrumors 65816
May 20, 2003
1,430
55
How does being from a trusted developer help? All it takes is one infected person inside the company to let it in, then in theory it can infect a "trusted" app.
How so? What's the method in which it spreads? And trusted apps are signed. Any modification is detected by Gatekeeper.
 

John.B

macrumors 601
Jan 15, 2008
4,138
647
Holocene Epoch
How so? What's the method in which it spreads?
It doesn't "spread", it's not a virus, it's malware:

Russian cyberspies blamed for U.S. election hacks are now targeting Macs

It’s not entirely clear how the malware is being distributed because the Bitdefender researchers only obtained the malware sample, not the full attack chain. However, it’s possible a macOS malware downloader dubbed Komplex, found in September, might be involved.

Komplex infected Macs by exploiting a known vulnerability in the MacKeeper antivirus software, according to researchers from Palo Alto Networks who investigated the malware at the time. The vulnerability allowed attackers to execute remote commands on a Mac when users visited specially crafted webpages.
The user installs software with a vulnerability (in this case, Mackeeper), then visits a website specifically designed to exploit that vulnerability, which downloads a Trojan, at which point the command and control network takes over.

The irony is that the user installing so-called "security software" such as Mackeeper actually installs the vulnerability that allows their computer to be hacked in the first place.
 
  • Like
Reactions: satcomer

H2SO4

macrumors 601
Nov 4, 2008
4,602
4,876
The attack vector is based on a vulnerability in Mackeeper.

Keep that off your Mac and you'll be fine.
That’s not what it says is it, (whilst you may be right)?
………..not entirely sure how the Mac version of Xagent is being distributed to users, but it could be spread via a macOS malware downloader called Komplex, which exploits a vulnerability in the virus-like MacKeeper software
 

rshrugged

macrumors 6502a
Oct 11, 2015
921
646
More information on this issue from @thomasareed. He's unable to post here because he has less than 100 posts.

He wanted to let us "know that this new "XAgent" variant of Komplex has absolutely no relation to a MacKeeper exploit. The writer has conflated this variant with one specific older variant from 2015. As much as I'd like to be able to blame MacKeeper, that vulnerability was closed in 2015, and there's no indication whatsoever that MacKeeper is in any way involved with the "XAgent" variant."





(Mr. Reed works for Malwarebytes and codes Malwarebytes Anti-Malware for Mac. Prior to this he developed Adware Medic and wrote extensively about security matters, and other Mac matters, at thesafemac((dot))com.)
 

Goatllama

macrumors 6502a
Jun 24, 2015
617
631
Mountaintop Lair
More information on this issue from @thomasareed. He's unable to post here because he has less than 100 posts.

He wanted to let us "know that this new "XAgent" variant of Komplex has absolutely no relation to a MacKeeper exploit. The writer has conflated this variant with one specific older variant from 2015. As much as I'd like to be able to blame MacKeeper, that vulnerability was closed in 2015, and there's no indication whatsoever that MacKeeper is in any way involved with the "XAgent" variant."

(Mr. Reed works for Malwarebytes and codes Malwarebytes Anti-Malware for Mac. Prior to this he developed Adware Medic and wrote extensively about security matters, and other Mac matters, at thesafemac((dot))com.)
Wish I could like this post 10 times and bump it right to the top. MacKeeper definitely makes for a great scapegoat. :D
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.