APT28 is the name of a Russian hackers group responsible for numerous attacks and many threats that infected Windows, iOS, Android and Linux devices. The latest APT28 creation is a complex malware able to compromise MacOS devices. The malware is already known, is called Xagent and the Mac version is a modular backdoor that can be customized to meet the hackers’ targets.
The menace has been identified by Bitdefender, revealing Xagent can steal passwords, take screenshots and find iOS backups that may be present on the MacOS device.
Bitdefender researchers explain:
Once successfully installed, the backdoor checks if a debugger is attached to the process. If it detects one, it terminates itself to prevent execution. Otherwise, it waits for an Internet connection before initiating communication with the C&C (command and conquer) servers. After the connection has been established, the payload starts the modules. Our preliminary analysis shows most of the C&C URLs impersonate Apple domains. Once connected to the C&C, the payload sends a HelloMessage, then spawns two communication threads running in infinite loops. The former uses POST requests to send information to the C&C, while the latter monitors GET requests for commands.
To put it simply, the Xagent payload remains silent until it senses whether there are debugging tools. If it does not detect one, it connects to the C&C servers used by hackers to control infected Macs, by intercepting commands and information.
The analysis reveals the presence of modules that can probe the system for hardware and software configurations, grab a list of running processes and run additional files, as well as get desktop screenshots and harvest browser passwords. The most important module, from an intelligence-gathering perspective, is the one that allows the operator(s) to exfiltrate iPhone backups stored on a compromised Mac.
We are dealing with an out of the ordinary malware.
How to prevent being infected by Xagent?
At the moment there are no specific indications to prevent being infected, but don’t panic: this type of malware is designed for targeted attacks, then the common user should not fear anything. Our advice is still the same: update your antivirus and anti-malware, even on Mac, keep an eye on every website you visit and on every file you download.