MacOS Malware Linked to Russian Hackers Steals Passwords, iPhone Backups

macOS macbook

A new variant of a Mac malware allegedly developed by APT28, the same cyber espionage group believed to be responsible for the hacks of the Democratic party in the lead up to the 2016 presidential elections has been discovered by security researchers.

This particular strain of the X-Agent malware, previously targeting and compromising devices on platforms including Windows, iOS, Android and Linux devices, is now targeting Apple devices in the MacOS platform.

Security researchers at cybersecurity firm BitDefender, who discovered the malware, reveal that it is capable of stealing passwords and grabbing screenshots as well as stealing iPhone backups stored on a Mac device.

Deemed a spy module, researchers wrote in detail:

The analysis reveals the presence of modules that can probe the system for hardware and software configurations, grab a list of running processes and run additional files, as well as get desktop screenshots and harvest browser passwords.

“But the most important module from an intelligence gathering perspective,” the researchers added “is the one that allows the operator(s) to exfiltrate iPhone backups stored on a compromised Mac.

The X-Agent spyware also has capabilities of acting as a backdoor with advanced cyber-espionage capabilities that can be tweaked and customized toward the objective of an attack. X-Agent exploits a vulnerability in MacKeeper, a utility software toolkit that is often found on Mac computers, through Komplex, a first-stage Trojan that APT28 has commonly put to use to infect machines.

When installed, the backdoor checks for a debugger program before a self-trigger mechanism. If a debugger is found, the malware terminates itself to evade discovery. However, the lack of a debugger allows the backdoor to wait patiently for an internet connection to communicate with malicious command-and-control servers.

BitDefender has confirmed that their investigation is still ongoing.

APT28 is an infamous Russian hacker group allegedly backed by the Russian stat. The group is also commonly addressed as Fancy Bear, Pawn Storm and Sofacy, among other names. It is one of two Russian cyberespionage groups that the US intelligence community accused of being the instigators of  the hacks of the U.S. Democratic National Committee’s personnel and email servers.

Image credit: Pexels.