macOS macbook
February 24, 2017 by

MacOS Malware Linked to Russian Hackers Steals Passwords, iPhone Backups

A new variant of a Mac malware allegedly developed by APT28, the same cyber espionage group believed to be responsible for the hacks of the Democratic party in the lead up to the 2016 presidential elections has been discovered by security researchers.

This particular strain of the X-Agent malware, previously targeting and compromising devices on platforms including Windows, iOS, Android and Linux devices, is now targeting Apple devices in the MacOS platform.

Security researchers at cybersecurity firm BitDefender, who discovered the malware, reveal that it is capable of stealing passwords and grabbing screenshots as well as stealing iPhone backups stored on a Mac device.

Deemed a spy module, researchers wrote in detail:

The analysis reveals the presence of modules that can probe the system for hardware and software configurations, grab a list of running processes and run additional files, as well as get desktop screenshots and harvest browser passwords.

“But the most important module from an intelligence gathering perspective,” the researchers added “is the one that allows the operator(s) to exfiltrate iPhone backups stored on a compromised Mac.

The X-Agent spyware also has capabilities of acting as a backdoor with advanced cyber-espionage capabilities that can be tweaked and customized toward the objective of an attack. X-Agent exploits a vulnerability in MacKeeper, a utility software toolkit that is often found on Mac computers, through Komplex, a first-stage Trojan that APT28 has commonly put to use to infect machines.

When installed, the backdoor checks for a debugger program before a self-trigger mechanism. If a debugger is found, the malware terminates itself to evade discovery. However, the lack of a debugger allows the backdoor to wait patiently for an internet connection to communicate with malicious command-and-control servers.

BitDefender has confirmed that their investigation is still ongoing.

APT28 is an infamous Russian hacker group allegedly backed by the Russian stat. The group is also commonly addressed as Fancy Bear, Pawn Storm and Sofacy, among other names. It is one of two Russian cyberespionage groups that the US intelligence community accused of being the instigators of  the hacks of the U.S. Democratic National Committee’s personnel and email servers.

Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Russian Hacking Group Fancy Bear Has Been Targeting Journalists Since 2014

Infamous Russian hacker group Fancy Bear, linked to state intelligence agency GRU, has been accused...

Read more arrow_forward

Microsoft is Turning the Tables on Russian Hackers with Lawyers

Microsoft is beginning counter measures against the alleged state-sponsored Russian hacking group...

Read more arrow_forward

Russian DNC Hackers Accused of Developing a Mac OS X Trojan

Researchers from security firm Palo Alto has pointed to Russian hackers behind the hack of the...

Read more arrow_forward