Recently, the malware researchers discovered a nasty malware named as Xagent Mac Malware targeting the computers running Mac OS X. Mac computers are officially no longer protected to Xagent, which is a backdoor virus linked to the Russian hacker group APT 28. Last week, the security firms reported the discovery of variant Xagent malware, whose main functionality appears to include stealing screenshots, keylogging, passwords, and even exfiltrating the backups stored on iPhone. Security investigators have determined that the malware is likely propagated via Trojan downloader virus Komplex, which is also linked with APT 28, the hackers group responsible for hacking the DNC (Democratic National Committee) also known as Tsar Team, Fancy Bear, Strontium, Pawn, Sednit, Storm and Sofacy.
Besides, other commands of Xagent Mac Malware including swiping Mozilla Firefox passwords, probing for software and hardware configurations, accumulating the list of running processes, downloading, installing, executing and deleting the files. However, the experts placed particular emphasis on the malware’s ability in order to determine if the iOS device was backed up onto the compromised machine by examine the iTunes default backup directory. In their blog post, the security firm also noted that such functionality was significant just “from an intelligence-gathering perspective”, because the hackers can then use other malicious commands to steal these backups.
As an analyst said, “By default, the iTunes doesn’t encode backup files, so the racketeers could use Xagent Mac Malware to steal files from backup if the user backs up their iOS devices onto the compromised machine and doesn’t choose the encoded backup setting”. Security researcher also said that this specific malicious command appears to be an unique to the malware’s variant. Although, its possible such functionality has gone without detected in the other versions due to the visibility issues. Analyst did note that the prior version of Xagent Mac Malware have had the ability to interact with file system, that would allow the hacker to list the content of any system’s folder of interest, including those storing the iOS devices backups.
According to the experts, the backdoor of Mac checks for debuggers just after the installation and it will terminate itself just upon detecting one. Assuming that it survives this process, Xagent Mac Malware uses HTTP POST requests in order to deliver encoded data to its C&C server and get requests to receive the communications back. Most of the Command & Control URLs impersonate Apple-related sites. Reportedly, Xagent Mac Malware shares Command & Control infrastructures with both of its Windows version and Komplex downloader, and also contains the binary string that are similar to those found in Komplex. Researcher reported, “while they lack attack telemetry they were able to find a loose connection in order to attack the campaign that the Sofacy waged on the DNC (Democratic National Committee) based on the hosting data in both attacks.