This Mac malware wants to steal passwords and iPhone backups

Malware which robs you of passwords and iPhone backup data is thought to be linked to the same cyberespionage group accused of interfering with the US elections last year.
Written by Danny Palmer, Senior Writer

Xagent can conduct cyberespionage against Apple Macs and iPhone backups.

Image: iStock

The group behind one of the largest cyberespionage campaigns has been targeting Mac users with malware designed to steal passwords, take screenshots, and steal backed-up iPhone data.

This malware, discovered by cybersecurity researchers at Bitdefender, is thought to be linked to the APT28 group, which was accused of interferring in the United States presidential election.

Bitdefender notes a number of similarities between the malware attacks against Macs -- which have been taking place since September 2016 -- and previous campaigns by the group, believed to be closely linked to Russia military intelligence and also dubbed Fancy Bear.

Known as Xagent, the new form of malware targets victims running Mac OS X and installs a modular backdoor onto the system which enables the perpetrators to carry out cyberespionage activities.

Researchers have linked Xagent to APT28 because samples analysed include the use of the same malware dropper and similar command-and-control URLs.

Once successfully installed on the Mac system, the backdoor will check for a debugger -- and will terminate itself if one is found. In all other instances, the malware waits for an internet connection before initiating communication with a command-and-control server which impersonates an Apple domain.

Once connected, the payload builds two threads of communication, with one sending information to the C&C while the other is used to get commands.

Analysis of the malware reveals the presence of modules which will probe the infected system for hardware and software configurations, collect information on running processes, harvest desktop screenshots, and steal passwords.

Xagent is also capable of stealing iPhone backups stored on a compromised Mac, an action which opens up even more capabilities for conducting cyberespionage, providing the perpetrators with access to additional files and potentially confidential or sensitive data the user may store on their device.

Forensic evidence suggests that the Mac OS binary behind Xagent shares identical strings to the Komplex downloader, previously used by the APT 28 group.

While the malware, and potentially those behind it, have been identified, it's still unknown which specific organisations are being targeted with this latest form of cyberespionage, but investigation into Xagent is still ongoing.

In addition to being suspected of attempted interference with the US election, APT 28 has also stolen medical files belonging to Olympic athletes after hacking the World Anti-Doping Agency.

Read more about cybercrime

Editorial standards