Russian Hackers Begin Targeting Apple Macs

The Russian hacking group responsible for hacks of the Democratic party during the 2016 US Presidential election has launched a new sophisticated malware package made to exploit Apple Macs. The malware – created by hacker collective APT28, which has close ties to the Russian government – is a version of Xagent, a backdoor capable of logging passwords, capturing screen images, and steal iOS backups, according to Bitdefender.

“Our past analysis of samples known to be linked to APT28 group shows a number of similarities between the Sofacy/APT28/Sednit Xagent component for Windows/Linux and the Mac OS binary that currently forms the object of our investigation,” Bitdefender researchers wrote in a report. “For once, there is the presence of similar modules, such as FileSystem, KeyLogger, and RemoteShell, as well as a similar network module called HttpChanel.”

Bitdefender’s analysis of Xagent includes the following findings:

“Once successfully installed, the backdoor checks if a debugger is attached to the process. If it detects one, it terminates itself to prevent execution. Otherwise, it waits for an Internet connection before initiating communication with the C&C servers. After the communication has been established, the payload starts the modules.

Our preliminary analysis shows most of the C&C URLs impersonate Apple domains.

Once connected to the C&C, the payload sends a HelloMessage, then spawns two communication threads running in infinite loops. The former uses POST requests to send information to the C&C, while the latter monitors GET requests for commands.”

Bitdefender’s researchers are continuing its investigation into the Mac variant of Xagent and will report more details as they find them.