Bitdefender notes a number of similarities between the malware attacks against Macs -- which have been taking place since September 2016 -- and previous campaigns by the group, believed to be closely linked to Russia military intelligence and also dubbed Fancy Bear.
Known as Xagent, the new form of malware targets victims running Mac OS X and installs a modular backdoor onto the system which enables the perpetrators to carry out cyberespionage activities.
Researchers have linked Xagent to APT28 because samples analysed include the use of the same malware dropper and similar command-and-control URLs.
Once successfully installed on the Mac system, the backdoor will check for a debugger -- and will terminate itself if one is found. In all other instances, the malware waits for an internet connection before initiating communication with a command-and-control server which impersonates an Apple domain.
Once connected, the payload builds two threads of communication, with one sending information to the C&C while the other is used to get commands.
Analysis of the malware reveals the presence of modules which will probe the infected system for hardware and software configurations, collect information on running processes, harvest desktop screenshots, and steal passwords.
Xagent is also capable of stealing iPhone backups stored on a compromised Mac, an action which opens up even more capabilities for conducting cyberespionage, providing the perpetrators with access to additional files and potentially confidential or sensitive data the user may store on their device.
Forensic evidence suggests that the Mac OS binary behind Xagent shares identical strings to the Komplex downloader, previously used by the APT 28 group.
While the malware, and potentially those behind it, have been identified, it's still unknown which specific organisations are being targeted with this latest form of cyberespionage, but investigation into Xagent is still ongoing.